0

Hello I have had several viruses etc. but this is the worst I haver ever had. It wont let me fully install virus/trojan/etc removal software. I am getting three or four popups at a time and these little boxes pop up saying stuff like i have lost some file extensions or something like that. Next time it pops up I will post exactly what it says. When I was able to run adaware, I would erase everything and then it was all back again, It will not let me open hijackthis either. also My task mgr says it has been disabled by administrator Will someone give me a starting point please.. PS this is my work computer so I wont be back on till tomorrow Thanks Ryun

4
Contributors
32
Replies
33
Views
9 Years
Discussion Span
Last Post by crunchie
0

i think you have some serious virus.first of all you have to stop its services .type in run msconfig
after that a window opens click on services. click on "hide microsoft services" still some services are there and search in them the service associated with virus(there is some common in virus name and service name associated with it ) search that .if you do not have any idea then simply click on "disable all services".
now click on start up tab and seach for some thing different and disable it .after that use hijack this. it will work

0

Hello Sorry for the long delay in posting I have followed crunchies advice and changed the name to analysethis and it worked here is my log file please advise Thanks Ryun

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:02 PM, on 11/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
c:\larc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\administrator\Application Data\gadcom\gadcom.exe
C:\Program Files\3Com\Bluetooth\BTCM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\analysethis\analysethis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O1 - Hosts: 207.51.48.106 s0000099
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {299B5FAC-2168-4A5D-A67D-AA4C8F8055DA} - C:\WINNT\System32\jkkJcDvU.dll
O2 - BHO: (no name) - {526BEF0D-13F6-4D83-984D-851BAA658326} - C:\WINNT\System32\ddcYqoPf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LarcApplication] LarcApp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Antivirus Pro 2009] "C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe" /hide
O4 - HKLM\..\Run: [b477f81d] rundll32.exe "C:\WINNT\system32\trtgrryv.dll",b
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\administrator\Application Data\Gool\Gool.exe"
O4 - HKCU\..\Run: [GetModule27] C:\Program Files\GetModule\GetModule27.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\administrator\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202832441468
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: jkkJcDvU - C:\WINNT\SYSTEM32\jkkJcDvU.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ChryslerLarc - Unknown owner - c:\larc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4770 bytes

0

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {299B5FAC-2168-4A5D-A67D-AA4C8F8055DA} - C:\WINNT\System32\jkkJcDvU.dll
O2 - BHO: (no name) - {526BEF0D-13F6-4D83-984D-851BAA658326} - C:\WINNT\System32\ddcYqoPf.dll

O4 - HKLM\..\Run: [b477f81d] rundll32.exe "C:\WINNT\system32\trtgrryv.dll",b
O4 - HKLM\..\Run: [brastk] brastk.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O20 - Winlogon Notify: jkkJcDvU - C:\WINNT\SYSTEM32\jkkJcDvU.dll


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\System32\jkkJcDvU.dll
C:\WINNT\System32\ddcYqoPf.dll
C:\WINNT\system32\trtgrryv.dll

Search for...

brastk.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Hello, I deleted the items in hijackthis and went into safe mode and tried to delete the 3 items the first 2 (c:\winnt\system32\jkkjcdvu.dll and ddcyqopf.dll) it says cannot delete file it is being used by windows. the third one trtgrryu.dll i deleted and I found and deleted brastk.exe. I also have a red circle with a x in the middle in my tray on the right side.

0

Tried running the Malwarebytes and it just sits there saying Preparing for the scan. I have let it sit for approx 10 min and still nothing. any ideas? Thanks Ryun

0

tried running in safe mode also with no luck after I click on scan it basically locks up and I have tried uninstalling and reinstalling it, I can scan a particular item and it works, if I do a larger folder it may get half way done then it will lock up. If I scan my C drive it just locks up immediatly. Thanks for any help Ryun

0

Try uninstalling MBA-M, delete the install file and and downloading a new copy from HERE

You do have multiple trojans on the system, at least your first HJT log showed them. You have not posted another log since Crunchie asked you to do some fixing with it. It would help to see a new one.
TURN OFF that AdAwareService. It can interfere with fixes. If you have to disable it via Task Manager.
Also what is this? LarcApplication. I can find no information about it at all.
The following items in your auto starting programs are all trojans, in addition to those two Crunchie asked you to fix;

O4 - HKLM\..\Run: [Antivirus Pro 2009] "C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe" /hide
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\administrator\Application Data\Gool\Gool.exe"
O4 - HKCU\..\Run: [GetModule27] C:\Program Files\GetModule\GetModule27.exe
Plus this listing;
O20 - AppInit_DLLs: karna.dat

You also don't appear to be running and anti-virus program or a firewall.

0

Hello everyone, I think I have good news I chipped away at it and finally got AVG to install ran it got rid of alot of stuff and then was able to install Adaware and got rid of some stuff. Then all of the sudden I was able to Run Malwarebytes and it got rid of the rest. So everything seems to be okay. I am going to post a new log if someone would for sure look at it and tell me what you think...

Thanks again everyone Ryun

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:27 PM, on 11/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\larc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\3Com\Bluetooth\BTCM.exe
C:\Program Files\Trend Micro\HijackThis1\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O1 - Hosts: 207.51.48.106 s0000099
O2 - BHO: (no name) - {01DBDA4B-8792-4B44-BCB2-379A799E3605} - C:\WINNT\system32\xcatllys.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {BE0CB6CD-8B04-41E4-B07B-03657CB4BBDF} - C:\WINNT\System32\ddcYqoPf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LarcApplication] LarcApp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\administrator\Application Data\Gool\Gool.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202832441468
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,qufgww.dll,avgrsstx.dll hqxwou.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ChryslerLarc - Unknown owner - c:\larc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4345 bytes

0

O4 - HKCU\..\Run: [Gool] "C:\Documents and Settings\administrator\Application Data\Gool\Gool.exe"

Fix the line above with hijackthis, then manually delete the Gool.exe file.


Reboot and post a new hijackthis log.

0

Here is my Hijackthis log I did as you said, let me know Thanks Crunchie

I was wondering about this entry O2 - BHO: WormRadar.com IESiteBlocker.NavFilter
im not sure if it was there previously looks odd Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:14 AM, on 11/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\larc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\3Com\Bluetooth\BTCM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis1\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O1 - Hosts: 207.51.48.106 s0000099
O2 - BHO: (no name) - {01DBDA4B-8792-4B44-BCB2-379A799E3605} - C:\WINNT\system32\xcatllys.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {BE0CB6CD-8B04-41E4-B07B-03657CB4BBDF} - C:\WINNT\System32\ddcYqoPf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LarcApplication] LarcApp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202832441468
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,qufgww.dll,avgrsstx.dll hqxwou.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ChryslerLarc - Unknown owner - c:\larc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4169 bytes

0

I was wondering about this entry O2 - BHO: WormRadar.com IESiteBlocker.NavFilter
im not sure if it was there previously looks odd Thanks

That is part of your AVG8 Anti-virus program.
Judy

0

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {01DBDA4B-8792-4B44-BCB2-379A799E3605} - C:\WINNT\system32\xcatllys.dll (file missing)
O2 - BHO: (no name) - {BE0CB6CD-8B04-41E4-B07B-03657CB4BBDF} - C:\WINNT\System32\ddcYqoPf.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log.

Do you know what the 01 Hosts entry is? If not, you can fix that too.

0

Here you go.... Thanks Ryun

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:15 AM, on 11/17/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\larc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\3Com\Bluetooth\BTCM.exe
C:\Program Files\Trend Micro\HijackThis1\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LarcApplication] LarcApp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202832441468
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,qufgww.dll,avgrsstx.dll hqxwou.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ChryslerLarc - Unknown owner - c:\larc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3864 bytes

0

Still got something going on there.

==

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Tried to download combofix from both sites but it pops up a box "Error -Win32 only" Incompatible OS. Combofix only works with windows 2000 or XP. I am using 2000 pro so im not sure if it should work or not? Thanks

0

As far as I can find Combofix works just fine on Windows 2000 Pro.
One thing in your logs I note that you have Adaware aawservice.exe running.
You should stop this from running. I have seen multiple posts where this seemed to have interfered with some attempts at fixes.
Are you downloading and saving it to the desktop or are you attempting to download and run it?

0

Hello I have been tring to download and run, but I just tried downloading to desktop and it tells me the same thing. It is showing in my Adaware program that the adwatch part is not running so im not sure how to disable it I tried shutting down the aawservice.exe process but it wouldn't let me. Should I delete aaw and then reinstall later?

0

Please download Dr Web-Cureit!
Save the folder to your desktop.
Don't run it yet.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Run Dr Web-Cureit!
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer back to normal mode.

Post the log back here once finished.

0

Here is the log from cureit. I am posting 2 different ones one from the quick scan and one from the complete scan..

The logs may not have what you are looking for I had to open them in Wordpad aparently I dont have the correct program to open it Sorry Thanks again Ryun

1st
Master Boot Record HDD1;;BackDoor.MaosBoot;Cured.;
Master Boot Record HDD2;;BackDoor.MaosBoot;Cured.;


2nd
C.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Incurable.Moved.;
psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Incurable.Moved.;
ComboFix.exe\32788R22FWJFW\C.bat;C:\Documents and Settings\administrator\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\administrator\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\administrator\Desktop;Archive contains infected objects;Moved.;
INSTSRV.EXE;C:\MDS2\CLIENTCLIENT\LanAdvantage;Tool.InstSrv;Incurable.Moved.;
1.df1lb;C:\Temp;Trojan.Packed.598;Deleted.;
2.df1lb;C:\Temp;Trojan.Packed.598;Deleted.;
5.df1lb;C:\Temp;Trojan.Packed.598;Deleted.;
6.df1lb;C:\Temp;Trojan.Packed.598;Deleted.;
7.df1lb;C:\Temp;Trojan.Packed.598;Deleted.;

0

Looks like it found something anyway.

Are you able to run combofix? Can you rename the combofix executable and run it? You may have to download a new copy.

0

Thanks Crunchie Changing the name worked here is the Log

ComboFix 08-11-23.02 - Administrator 11/24/2008 15:02:16.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.90 [GMT -6:00]
Running from: c:\documents and settings\administrator\Desktop\ComboFax.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Local Settings\Temporary Internet Files\fbk.sts
c:\winnt\system32\adwauyqg.ini
c:\winnt\system32\exjurlyo.ini
c:\winnt\system32\fPoqYcdd.ini
c:\winnt\system32\fPoqYcdd.ini2
c:\winnt\system32\grsmotuc.ini
c:\winnt\system32\idrcnrvg.ini
c:\winnt\system32\pqlvepnw.ini
c:\winnt\system32\radhgsdj.ini
c:\winnt\system32\tklvrcqp.ini
c:\winnt\system32\urwcitnc.ini
c:\winnt\system32\vyrrgtrt.ini
c:\winnt\system32\yfeenwts.ini
c:\winnt\system32\ysjtlror.ini
c:\winnt\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-24 15:09 . 08-11-24 15:09 53,248 --a------ c:\temp\catchme.dll
2008-11-24 15:08 . 08-11-24 15:08 131,072 --a------ c:\temp\Stack.dat
2008-11-24 15:08 . 08-11-24 15:08 131,072 --a------ c:\temp\Simulator.dat
2008-11-24 15:08 . 08-11-24 15:08 131,072 --a------ c:\temp\Remote Device Cache.dat
2008-11-24 15:08 . 08-11-24 15:08 131,072 --a------ c:\temp\Monitor.dat
2008-11-24 15:08 . 08-11-24 15:08 131,072 --a------ c:\temp\ControlPanel.dat
2008-11-24 15:06 . 08-11-24 15:06 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_250.dat
2008-11-24 11:04 . 08-11-24 11:43 <DIR> d-------- c:\documents and settings\administrator\DoctorWeb
2008-11-12 12:13 . 08-11-12 12:13 <DIR> d-------- c:\program files\Lavasoft
2008-11-12 11:09 . 08-11-15 11:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-12 11:08 . 08-11-12 11:08 76,040 --a------ c:\winnt\system32\drivers\avgtdix.sys
2008-11-12 11:08 . 08-11-12 11:08 10,520 --a------ c:\winnt\system32\avgrsstx.dll
2008-11-12 11:07 . 08-11-24 13:32 <DIR> d-------- c:\winnt\system32\drivers\Avg
2008-11-12 11:07 . 08-11-12 11:07 97,928 --a------ c:\winnt\system32\drivers\avgldx86.sys
2008-11-12 11:05 . 08-11-12 11:08 <DIR> d-------- c:\temp\7zS34.tmp
2008-11-11 16:51 . 08-11-24 15:07 <DIR> d-------- c:\temp\7zSF.tmp
2008-11-11 16:51 . 08-11-24 15:07 <DIR> d-------- c:\temp\7zS10.tmp
2008-11-11 16:49 . 08-11-24 15:07 <DIR> d-------- c:\temp\7zSE.tmp
2008-11-11 16:45 . 08-11-11 16:45 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-11 13:42 . 08-11-11 13:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-11 13:42 . 08-10-22 16:10 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2008-11-11 13:42 . 08-10-22 16:10 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2008-11-11 11:30 . 08-11-11 11:30 8,192 --a------ C:\ntuser.dat
2008-11-10 16:26 . 08-11-24 15:07 <DIR> d-------- c:\temp\7zS3.tmp
2008-11-10 14:22 . 08-11-10 14:22 <DIR> d-------- C:\windows
2008-11-10 12:34 . 08-11-10 14:23 <DIR> d-------- c:\program files\The Weather Channel FW
2008-11-10 09:27 . 08-11-10 09:27 122,880 --a------ c:\winnt\system32\qyxtuegc.dll
2008-11-08 11:39 . 08-11-04 13:15 102,664 --a------ c:\winnt\system32\drivers\tmcomm.sys
2008-11-08 09:49 . 08-11-11 12:02 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-08 09:48 . 02-05-15 16:16 462,848 --a------ c:\winnt\system32\msaatext.dll
2008-11-08 09:48 . 02-05-15 16:16 360,448 --a------ c:\winnt\system32\oleacc.dll
2008-11-08 09:48 . 02-05-15 16:16 356,352 --a------ c:\winnt\system32\oleaccrc.dll
2008-11-05 18:31 . 08-11-05 18:31 <DIR> d-------- c:\program files\Avira
2008-11-05 18:31 . 08-11-05 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-05 18:30 . 08-11-24 15:08 <DIR> d-------- c:\temp\RarSFX0
2008-11-05 18:30 . 08-11-24 15:07 <DIR> d-------- c:\temp\AVSETUP_49123ab0
2008-11-05 11:31 . 08-11-05 11:31 19,656 --a------ c:\program files\Common Files\ybakyneqo.exe
2008-11-05 05:05 . 08-11-14 10:15 <DIR> d-------- c:\temp\ripagup.tmp
2008-11-04 16:13 . 08-11-08 09:41 <DIR> d-------- c:\program files\Panda Security
2008-11-04 15:07 . 08-11-04 15:07 <DIR> d-------- c:\documents and settings\administrator\Application Data\Malwarebytes
2008-11-04 15:06 . 08-11-04 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-04 14:27 . 08-11-04 14:27 <DIR> d-------- c:\winnt\winsxs
2008-11-04 14:27 . 08-11-04 14:27 <DIR> d-------- c:\program files\AVG
2008-11-04 14:27 . 08-11-12 11:06 <DIR> d-a------ c:\documents and settings\All Users\Application Data\avg8
2008-11-04 14:01 . 08-11-04 14:01 <DIR> d-a------ c:\winnt\system32\Windows Media
2008-11-04 13:59 . 08-11-04 13:59 <DIR> d-------- c:\winnt\msiinst.tmp
2008-11-04 13:59 . 08-11-04 13:59 <DIR> d--h-c--- c:\winnt\$NtUpdateRollupPackUninstall$
2008-11-04 13:58 . 08-11-24 15:07 <DIR> d-------- c:\temp\7zS2.tmp
2008-11-04 13:51 . 08-11-04 13:51 <DIR> d-a------ c:\winnt\system32\ie_de
2008-11-04 13:51 . 08-11-04 13:54 <DIR> d-a------ c:\winnt\system32\CertSrv
2008-11-04 13:51 . 08-11-04 13:51 <DIR> d-------- c:\winnt\ServicePackFiles
2008-11-04 13:48 . 05-02-06 21:35 6,301,696 --a------ c:\winnt\system32\sp3res.dll
2008-11-04 13:47 . 03-06-19 13:05 2,017,792 --a------ c:\winnt\system32\msi.dll
2008-11-04 13:46 . 05-01-12 12:39 442,640 --a------ c:\winnt\system32\ipnathlp.dll
2008-11-04 13:45 . 04-02-19 15:03 1,816,552 -ra------ c:\winnt\system32\dtcsetup.exe
2008-11-04 13:44 . 03-06-19 13:05 2,531,088 --a------ c:\winnt\system32\cdosys.dll
2008-11-04 13:15 . 08-11-07 18:19 <DIR> d-------- c:\documents and settings\administrator\.housecall6.6
2008-11-04 13:13 . 08-11-04 13:13 <DIR> d-------- c:\winnt\Sun
2008-11-04 13:10 . 08-11-04 13:10 <DIR> d-------- c:\program files\Java
2008-11-04 13:10 . 08-11-04 13:10 410,976 --a------ c:\winnt\system32\deploytk.dll
2008-11-04 13:10 . 08-11-04 13:10 73,728 --a------ c:\winnt\system32\javacpl.cpl
2008-11-04 13:09 . 08-11-24 15:08 <DIR> d-------- c:\temp\ICD1.tmp
2008-11-04 12:08 . 08-11-10 14:36 <DIR> d-------- c:\program files\Trend Micro
2008-11-03 23:58 . 08-11-03 23:58 <DIR> d-------- C:\DrWatson
2008-11-01 10:36 . 08-11-03 17:08 296 --ah----- C:\aaw7boot.cmd
2008-11-01 10:07 . 08-11-04 10:47 <DIR> d--hs---- c:\winnt\TURTMg
2008-11-01 10:03 . 08-11-01 10:03 <DIR> d-------- c:\winnt\woof
2008-11-01 10:03 . 08-11-01 10:36 <DIR> d-------- c:\program files\Common Files\woof
2008-10-30 12:39 . 08-10-30 12:39 <DIR> d-------- c:\temp\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 17:31 19,069 ----a-w c:\winnt\otovanumi.sys
2008-11-05 17:31 17,850 ----a-w c:\winnt\system32\yhyxamy.reg
2008-11-05 17:31 17,666 ----a-w c:\winnt\sefuxenyx.reg
2008-11-05 17:31 17,318 ----a-w c:\program files\Common Files\pivogu._sy
2008-11-05 17:31 16,356 ----a-w c:\winnt\dydasis.bat
2008-11-05 17:31 14,754 ----a-w c:\winnt\wimezokux.scr
2008-11-05 17:31 13,036 ----a-w c:\program files\Common Files\budiseho.ban
2008-11-05 17:31 10,030 ----a-w c:\winnt\uxyg.pif
2008-10-07 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2005-10-06 16:45 0 ----a-w c:\program files\SysUtility.dat
2002-08-15 16:23 271 ---h--w c:\program files\desktop.ini
2002-08-15 16:23 21,952 ---h--w c:\program files\folder.htt
2001-05-08 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [02-03-26 19:28 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [02-03-26 19:20 106496]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [08-11-04 13:10 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-11-12 11:07 1234712]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 c:\winnt\system32\mobsync.exe]
"LarcApplication"="LarcApp.exe" [02-04-18 02:04 16384 c:\winnt\system32\LarcApp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth Connection Manager.lnk - c:\program files\3Com\Bluetooth\BTCM.exe [2006-09-14 1445888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
ntdll.dll REG_MULTI_SZ msv1_0 c:\winnt\System32\ddcYqoPf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001


*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder

2008-11-24 c:\winnt\Tasks\backup.job
- c:\scripts\backup.cmd [08-09-13 11:55 ]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MMTray - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
LSP: %SystemRoot%\system32\msafd.dll

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 15:09:49
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(172)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(236)
c:\winnt\system32\rsaenh.dll
.
Completion time: 2008-11-24 15:12:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-24 21:12:21

Pre-Run: 15,235,842,048 bytes free
Post-Run: 15,884,251,136 bytes free

182

0

c:\winnt\system32\qyxtuegc.dll
c:\winnt\System32\ddcYqoPf

I scanned the first (qyxtuegc.dll) and it found nothing. I have searched manually and with the search option several times and have not been able to find the ddcYqoPf file. What should I do from here Thanks Ryun

0

Not sure if you need this

Service load: 0% 100%

File: qyxtuegc.dll
Status: OK
MD5: ba1e2f7ec7cdcc5845144f2361399af1
Packers detected: -


Scan taken on 25 Nov 2008 17:15:42 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.