0

Well...I JUST reformatted my PC 2 weeks ago and I thought it would clean every thing... but then I still had virtumonde... so all these nasty pop-ups and other things would come on my computer... it has been going very slow and has lead to me getting prunnet and othe trojans. here's the HiJackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:55 PM, on 1/24/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\steam\steamapps\lolatyou182\counter-strike source\hl2.exe
C:\program files\steam\GameOverlayUI.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Jacob\My Documents\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CC2B82B4-77FB-477F-B8C6-0D0A29B9AF79} - C:\WINDOWS\System32\jkkLCuvs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Bdihinodusexuyod] rundll32.exe "C:\WINDOWS\Cbubiga.dll",e
O4 - HKLM\..\Run: [Qlagegacudezen] rundll32.exe "C:\WINDOWS\amemicelo.dll",e
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232497751749
O20 - AppInit_DLLs: gpqwmc.dll hnrfsj.dll
O20 - Winlogon Notify: geBqopOh - geBqopOh.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5376 bytes

3
Contributors
31
Replies
32
Views
8 Years
Discussion Span
Last Post by crunchie
Featured Replies
  • If you wish. [url=http://www.kellys-korner-xp.com/win_xp_rec.htm]Instructions for removing Recovery Console.[/url] Read More

0

hi jakey101, when you format your hdd, don't just format it, make sure that you remove the old partition and install a new one.. or if you got tools to wipe out your hdd use it, or try to search google for hdd partitioning tools..

and make sure that your old software or any of your usb device like thumb drive is free from virus..

it's one thing also a fresh OS but your thumbdrive or the things you've downloaded from the web and burn it to cd or dvd got virus so once you plug it back your system will be infected again..

use anti-virus like AVG or anti malware- like malwarebytes..

0

A fresh format will clean out everything on the HD. If you got infected again it's either because you went somewhere you shouldn't have, did something you shouldn't have, or as cguan_77 said, some other hardware on your pc is infected still.

0

ok.. thanks. what should I do to fix this? do you see anything in my HJT log? I really need to fix this.

0

I have not done anything to msconfig exept stop prunnet.exe from starting in my processes on startup..

0

I have not done anything to msconfig exept stop prunnet.exe from starting in my processes on startup..

So you did one thing :).

==

If you want to try cleaning this, do the following;

==

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

got it:

Malwarebytes' Anti-Malware 1.33
Database version: 1685
Windows 5.1.2600

1/23/2009 7:29:48 PM
mbam-log-2009-01-23 (19-29-48).txt

Scan type: Quick Scan
Objects scanned: 46295
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 19
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gpqwmc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\System32\jkkLCuvs.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a07b07b9-ef37-4fed-ab57-752e4f2f9001} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a07b07b9-ef37-4fed-ab57-752e4f2f9001} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc2b82b4-77fb-477f-b8c6-0d0a29b9af79} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{cc2b82b4-77fb-477f-b8c6-0d0a29b9af79} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ukcafgus (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ukcafgus (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ukcafgus (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aylnlfdx (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\aylnlfdx (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aylnlfdx (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ptygbtro (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ptygbtro (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptygbtro (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdihinodusexuyod (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlagegacudezen (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gpqwmc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\System32\jkkLCuvs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\System32\jkkLCuvs.dllbox (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\System32\c:\windows\system32\jkklcuvs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\svuCLkkj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svuCLkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gowsarrv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vrraswog.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jsufrjgg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRKBtTN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\Drivers\oxthuzyn.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\phqghume.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ynxqwqqf.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temp\wcrsonmxea.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temp\encsxroawm.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temp\worcnsemax.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temporary Internet Files\Content.IE5\89E7GTEN\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temporary Internet Files\Content.IE5\G1QF8PMR\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Cbubiga.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\amemicelo.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pmnonolK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


now my task manager has been disabled by administrator..?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:39 PM, on 1/24/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\System32\userinit.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Documents and Settings\Jacob\My Documents\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CC2B82B4-77FB-477F-B8C6-0D0A29B9AF79} - C:\WINDOWS\System32\jkkLCuvs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Bdihinodusexuyod] rundll32.exe "C:\WINDOWS\Cbubiga.dll",e
O4 - HKLM\..\Run: [Qlagegacudezen] rundll32.exe "C:\WINDOWS\amemicelo.dll",e
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\docume~1\jacob\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\jacob\locals~1\temp\ntdll64.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232497751749
O20 - AppInit_DLLs: gpqwmc.dll hnrfsj.dll
O20 - Winlogon Notify: geBqopOh - geBqopOh.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5419 bytes

And again after the reboot, my task manager got disabled randomly from administrator..

0

Maybe you should have followed my instructions a little closer and ran the FULL SCAN in MBA-M :).

Why is the date on MBA-M showing the 23rd? Your first post has the 24th of January, so you must have run MBA-M before you posted?

0

sorry crunchie:$
well now when i try to open Panda Antivirus it says invalid point operation..

Malwarebytes' Anti-Malware 1.33
Database version: 1685
Windows 5.1.2600

1/24/2009 2:00:18 PM
mbam-log-2009-01-24 (14-00-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 16603
Time elapsed: 10 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hnrfsj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\System32\jkkLCuvs.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc2b82b4-77fb-477f-b8c6-0d0a29b9af79} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{cc2b82b4-77fb-477f-b8c6-0d0a29b9af79} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e29a072a-e61c-4873-9778-4ada85c626cf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e29a072a-e61c-4873-9778-4ada85c626cf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\jkkLCuvs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\System32\jkkLCuvs.dllbox (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\System32\c:\windows\system32\jkklcuvs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\svuCLkkj.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\svuCLkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hnrfsj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Jacob\Local Settings\Temporary Internet Files\Content.IE5\89E7GTEN\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.

0

and yes i did run it before this thread.. just thought i would post the first log

0

Well, there is something wierd going on here. Your quick scan scanned 46295 files, but your Full scan only scanned 16603.
I have seen full scans taking well over 1 hour, yet yours took 10 minutes.
What are your pc's specs?

When you do the full scan, you need to reboot your machine (I will be able to tell if you did :)) and post a new hijackthis log and the MBA-M log.

0

and yes i did run it before this thread.. just thought i would post the first log

Cheers, but if you cannot follow directions, I will have to quit this thread.

0

Okay on that one I aborted earlier today. I am doing a FULL scan right now - no aborts :D sorry for not really following directions im just nervous bout this you know? I'll post the logs here in a bit. Oh and how do I find out my system specs?

0

Okay crunchie heres what you asked :)
Malwarebytes' Anti-Malware 1.33
Database version: 1690
Windows 5.1.2600

1/24/2009 10:36:16 PM
mbam-log-2009-01-24 (22-36-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 62476
Time elapsed: 15 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdihinodusexuyod (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\esljsfan.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nafsjlse.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Avenger\oxthuzyn.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temporary Internet Files\Content.IE5\4DMVKHUJ\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Jacob\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:30 PM, on 1/24/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jacob\My Documents\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CC2B82B4-77FB-477F-B8C6-0D0A29B9AF79} - C:\WINDOWS\System32\jkkLCuvs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232497751749
O20 - AppInit_DLLs: gpqwmc.dll hnrfsj.dll
O20 - Winlogon Notify: geBqopOh - geBqopOh.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4826 bytes

Oh and if you still want my specs, go ahead and tell me in the next post :)

0

Okay on that one I aborted earlier today. I am doing a FULL scan right now - no aborts :D sorry for not really following directions im just nervous bout this you know? I'll post the logs here in a bit.

In the end it's up to you. You are the one who wants to get your pc cleaned up, so it's in your best interest to follow instructions :). See how the full scan removed more entries?
Could have saved a lot of wasted posts by doing it right the first time. Plus I could relax more on my Sunday off :D.

==

Your log is still showing signs of infection.

==

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Okay so it said it would be saved at c:/combofix.txt but.. its not there? sorry for the problem:(

0

okay ignore the last post, i think i got it :)

ComboFix 09-01-21.04 - Jacob 2009-01-24 23:09:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.1023.716 [GMT -5:00]
Running from: C:\Documents and Settings\Jacob\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jacob\Local Settings\Temporary Internet Files\fbk.sts
C:\WINDOWS\system32\998.exe
C:\WINDOWS\system32\bmtmmupy.ini
C:\WINDOWS\system32\chert5-998.exe
C:\WINDOWS\system32\drivers\seneka.sys
C:\WINDOWS\system32\drivers\senekaibmqrsvn.sys
C:\WINDOWS\system32\idmhdgbx.dll
C:\WINDOWS\system32\ipdywdec.dll
C:\WINDOWS\system32\lvriokuu.dll
C:\WINDOWS\system32\senekairplviuy.dll
C:\WINDOWS\system32\senekaleseqtss.dat
C:\WINDOWS\system32\senekaqalkdmtj.dll
C:\WINDOWS\system32\senekaswemkmft.dat
C:\WINDOWS\system32\uniq.tll
C:\WINDOWS\system32\uwmintku.ini
C:\WINDOWS\system32\win32hlp.cnf

Infected copy of C:\WINDOWS\system32\userinit.exe was found and disinfected
Restored copy from - C:\WINDOWS\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-24 21:43 . 2009-01-24 21:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2009-01-23 19:43 . 2009-01-23 19:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Malwarebytes
2009-01-23 19:23 . 2009-01-23 19:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-23 19:23 . 2009-01-23 19:23 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Malwarebytes
2009-01-23 19:23 . 2009-01-23 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-23 19:23 . 2009-01-14 16:11 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-01-23 19:23 . 2009-01-14 16:11 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-01-23 19:22 . 2009-01-23 19:22 2,737,808 --a------ C:\Documents and Settings\Jacob\mbam-setup.exe
2009-01-23 18:50 . 2009-01-24 10:13 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2009-01-23 18:47 . 2003-03-19 05:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2009-01-23 18:47 . 2003-02-21 13:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2009-01-23 18:47 . 2008-04-28 17:35 84,024 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2009-01-23 18:47 . 2009-01-23 18:47 249 --a------ C:\WINDOWS\system32\PavCPL.dat
2009-01-23 18:46 . 2009-01-23 18:46 <DIR> d-------- C:\WINDOWS\system32\PAV
2009-01-23 18:46 . 2009-01-23 18:46 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Panda Security
2009-01-23 18:46 . 2009-01-23 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Panda Security
2009-01-23 18:46 . 2008-06-18 18:03 520,448 --a------ C:\WINDOWS\system32\PavSHook.dll
2009-01-23 18:46 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2009-01-23 18:46 . 2008-06-24 14:48 193,280 --a------ C:\WINDOWS\system32\TpUtil.dll
2009-01-23 18:46 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2009-01-23 18:46 . 2008-06-18 18:03 87,296 --a------ C:\WINDOWS\system32\PavLspHook.dll
2009-01-23 18:46 . 2008-03-18 16:58 58,672 --a------ C:\WINDOWS\system32\avldr.dll
2009-01-23 18:46 . 2008-06-18 18:03 55,552 --a------ C:\WINDOWS\system32\pavipc.dll
2009-01-23 18:46 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2009-01-23 18:41 . 2009-01-23 18:41 <DIR> d-------- C:\Program Files\Common Files\Panda Security
2009-01-23 18:41 . 2008-02-07 12:03 179,640 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2009-01-23 18:41 . 2008-03-04 15:59 41,144 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2009-01-23 18:36 . 2009-01-23 18:39 81,751,488 --a------ C:\Documents and Settings\Jacob\AP09promo.exe
2009-01-21 14:46 . 2009-01-23 19:35 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Desktopicon
2009-01-21 14:46 . 2009-01-21 14:45 243,204 --a------ C:\Documents and Settings\Jacob\unlocker1.8.7.exe
2009-01-21 14:42 . 2009-01-23 18:58 <DIR> d-------- C:\Program Files\Unlocker
2009-01-21 14:15 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2009-01-21 14:14 . 2009-01-23 18:46 <DIR> d-------- C:\Program Files\Panda Security
2009-01-20 20:46 . 2009-01-20 20:46 0 --a------ C:\WINDOWS\nsreg.dat
2009-01-20 19:43 . 2009-01-20 19:43 126,464 --a------ C:\WINDOWS\system32\wwhubtgn.dll
2009-01-20 19:43 . 2009-01-20 19:43 126,464 --a------ C:\WINDOWS\system32\evrpap.dll
2009-01-20 19:40 . 2009-01-24 21:30 1,792 --a------ C:\WINDOWS\ukcafgus
2009-01-16 21:58 . 2009-01-16 21:58 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Viewpoint
2009-01-11 19:31 . 2001-08-17 22:36 324,608 --a------ C:\WINDOWS\system32\hpojwia.dll
2009-01-11 19:31 . 2001-08-17 22:36 324,608 --a--c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
2009-01-11 19:31 . 2001-08-17 13:47 205,056 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2009-01-11 19:31 . 2001-08-17 13:47 205,056 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2009-01-11 19:31 . 2001-07-21 20:27 18,411 --a------ C:\WINDOWS\system32\hpo5500a.aio
2009-01-11 19:31 . 2001-07-21 20:27 18,411 --a------ C:\WINDOWS\system32\hpo5400a.aio
2009-01-11 19:31 . 2001-07-21 20:27 18,411 --a------ C:\WINDOWS\system32\hpo5300a.aio
2009-01-11 19:31 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2009-01-11 19:31 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2009-01-11 19:31 . 2001-08-17 13:47 8,704 --a------ C:\WINDOWS\system32\drivers\Dot4scan.sys
2009-01-11 19:31 . 2001-08-17 13:47 8,704 --a--c--- C:\WINDOWS\system32\dllcache\dot4scan.sys
2009-01-10 21:48 . 2009-01-10 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Blizzard
2009-01-10 20:25 . 2009-01-20 19:09 <DIR> d-------- C:\Program Files\World of Warcraft
2009-01-10 20:25 . 2009-01-10 20:25 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2009-01-10 19:48 . 2004-07-09 04:27 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2009-01-10 19:47 . 2009-01-10 19:48 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2009-01-10 19:47 . 2009-01-10 19:47 <DIR> d-------- C:\WINDOWS\Logs
2009-01-10 18:57 . 2009-01-10 18:57 <DIR> d---s---- C:\Documents and Settings\Jacob\UserData
2009-01-10 18:48 . 2009-01-10 18:48 <DIR> d-------- C:\Program Files\Ventrilo
2009-01-10 18:48 . 2009-01-10 18:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-01-10 18:48 . 2009-01-11 19:39 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Ventrilo
2009-01-10 18:48 . 2009-01-10 18:48 262 --a------ C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-10 18:45 . 2009-01-11 18:03 <DIR> d-------- C:\Program Files\Google
2009-01-10 18:43 . 2009-01-24 23:19 <DIR> d-------- C:\Program Files\Steam
2009-01-10 18:40 . 2009-01-10 18:40 <DIR> d-------- C:\Program Files\Viewpoint
2009-01-10 18:40 . 2009-01-10 18:40 <DIR> d-------- C:\Program Files\Common Files\AOL
2009-01-10 18:40 . 2009-01-10 18:40 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\acccore
2009-01-10 18:40 . 2009-01-10 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-01-10 18:40 . 2009-01-10 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2009-01-10 18:40 . 2009-01-10 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2009-01-10 18:40 . 2009-01-10 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2009-01-10 18:39 . 2009-01-10 18:40 <DIR> d-------- C:\Program Files\AIM6
2009-01-10 18:39 . 2009-01-10 18:40 352 --ah----- C:\IPH.PH
2009-01-10 18:20 . 2009-01-10 18:20 <DIR> d-------- C:\WINDOWS\nview
2009-01-10 18:20 . 2009-01-10 18:20 <DIR> d-------- C:\NVIDIA
2009-01-10 18:20 . 2008-12-23 21:58 453,152 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2009-01-10 18:20 . 2008-12-26 00:08 453,152 --a------ C:\WINDOWS\system32\nvudisp.exe
2009-01-10 18:20 . 2009-01-24 23:18 206,492 --a------ C:\WINDOWS\system32\nvapps.xml
2009-01-10 18:20 . 2008-12-26 00:08 18,725 --a------ C:\WINDOWS\system32\nvdisp.nvu
2009-01-10 18:15 . 2009-01-10 18:15 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2009-01-10 18:15 . 2009-01-10 18:15 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2009-01-10 18:09 . 2009-01-23 18:46 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2009-01-10 18:09 . 2009-01-10 18:09 <DIR> d-------- C:\Program Files\D-Link
2009-01-10 18:09 . 2009-01-23 18:41 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2009-01-10 17:29 . 2001-08-17 14:03 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 21:57 --------- d-----w C:\Program Files\Common Files\Adobe
2009-01-10 21:57 --------- d-----w C:\Documents and Settings\Jacob\Application Data\AdobeUM
2009-01-10 21:30 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-27 15:04 70,992 ----a-w C:\WINDOWS\system32\XAPOFX1_2.dll
2008-10-27 15:04 514,384 ----a-w C:\WINDOWS\system32\XAudio2_3.dll
2008-10-27 15:04 235,856 ----a-w C:\WINDOWS\system32\xactengine3_3.dll
2008-10-27 15:04 23,376 ----a-w C:\WINDOWS\system32\X3DAudio1_5.dll
2008-10-27 14:48 80,896 ----a-w C:\WINDOWS\system32\dxdllreg.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-10-21 12:09 50472]
"Steam"="c:\program files\steam\steam.exe" [2009-01-10 18:43 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2008-12-26 00:08 13680640]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2008-12-26 00:08 86016]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" [2008-12-03 03:54 869632]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe" [2008-07-07 14:43 50432]
"nwiz"="nwiz.exe" [2008-12-26 00:08 1657376 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 16:58 58672 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gpqwmc.dll hnrfsj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

R0 pavboot;Panda boot driver;C:\WINDOWS\system32\drivers\pavboot.sys [2009-01-21 14:15:41 28544]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShlDrv51.sys [2009-01-23 18:41:48 41144]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\System32\drivers\av5flt.sys --> C:\WINDOWS\System32\drivers\av5flt.sys [?]
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\System32\PavSRK.sys --> C:\WINDOWS\System32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\System32\PavTPK.sys --> C:\WINDOWS\System32\PavTPK.sys [?]
R4 Gwmsrv;Panda Goodware Cache Manager;C:\WINDOWS\System32\svchost -k Panda --> C:\WINDOWS\System32\svchost -k Panda [?]
R4 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\drivers\PavProc.sys [2009-01-23 18:41:48 179640]
R4 PskSvcRetail;Panda PSK service;C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psksvc.exe [2009-01-23 18:47:06 28928]
R4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2009-01-10 18:40:34 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALG
*NewlyCreated* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv
.
- - - - ORPHANS REMOVED - - - -

BHO-{CC2B82B4-77FB-477F-B8C6-0D0A29B9AF79} - C:\WINDOWS\System32\jkkLCuvs.dll
HKCU-Run-cogad - C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe
Notify-geBqopOh - geBqopOh.dll
MSConfigStartUp-prunnet - C:\WINDOWS\System32\prunnet.exe
MSConfigStartUp-Qlagegacudezen - C:\WINDOWS\amemicelo.dll
MSConfigStartUp-UnlockerAssistant - C:\Program Files\Unlocker\UnlockerAssistant.exe
MSConfigStartUp-Framework Windows - frmwrk32.exe


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - C:\Documents and Settings\Jacob\Application Data\Mozilla\Firefox\Profiles\wqu6nc17.default\
FF - plugin: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
.
------- File Associations -------
.
JSEFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*
VBEFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*
VBSFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*
.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:27, on 2009-01-24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\ApvxdWin.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jacob\My Documents\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CC2B82B4-77FB-477F-B8C6-0D0A29B9AF79} - C:\WINDOWS\System32\jkkLCuvs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232497751749
O20 - Winlogon Notify: geBqopOh - geBqopOh.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5142 bytes

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\wwhubtgn.dll
C:\WINDOWS\system32\evrpap.dll
C:\WINDOWS\system32\hpojwia.dll
C:\WINDOWS\system32\dllcache\hpojwia.dll
C:\WINDOWS\system32\drivers\Dot4.sys
C:\WINDOWS\system32\dllcache\dot4.sys
C:\WINDOWS\system32\hpo5500a.aio
C:\WINDOWS\system32\hpo5400a.aio
C:\WINDOWS\system32\hpo5300a.aio
C:\WINDOWS\system32\drivers\Dot4Prt.sys
C:\WINDOWS\system32\dllcache\dot4prt.sys
C:\WINDOWS\system32\drivers\Dot4scan.sys
C:\WINDOWS\system32\dllcache\dot4scan.sys

0
0

Please go here & install ALL critical updates required for your system, including service pack 1a for both XP and IE6.

Do not install SP2 yet as your pc is not yet clean.

Post back a new hijackthis log after rebooting your system.

There is more to be done.

0

I use firefox web browser. Do you still want me to install the service pack 1a? And that link brings me to a thank you for updating site from microsoft?

0

I will post back tommorrow with the HJT, for I am tired. Thanks for the help so far crunchie :)

0

ok got it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:02, on 2009-01-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\avciman.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jacob\My Documents\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CC2B82B4-77FB-477F-B8C6-0D0A29B9AF79} - C:\WINDOWS\System32\jkkLCuvs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232497751749
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232905967906
O20 - Winlogon Notify: geBqopOh - geBqopOh.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5249 bytes

0

No wonder I don't use Panda. 11 processes.....what a hog.

==

Let's get rid of Combofix now that we are finished with it. Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.






When shown the disclaimer, Select "2"


The above procedure will: Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

====

Go to Add/Remove programs and uninstall the following, if present:

Viewpoint Manager,Viewpoint Media Player,Viewpoint Toolbar

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:

O2 - BHO: (no name) - {CC2B82B4-77FB-477F-B8C6-0D0A29B9AF79} - C:\WINDOWS\System32\jkkLCuvs.dll (file missing)

O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O20 - Winlogon Notify: geBqopOh - geBqopOh.dll (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Viewpoint

files...

C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following: Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear.
Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Attachments CF_cleanup.png 6.73 KB
0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:11:13 AM, on 2009-01-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Documents and Settings\Jacob\My Documents\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232497751749
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232905967906
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 4362 bytes

she's running beautifully :) oh and on the restart it asked me if I want to start the recovery console? what is this? is it good?

0

^^ I also did not find
C:\Documents and Settings\Jacob\Application Data\cogad\cogad.exe
and
C:\Program Files\Viewpoint

im guessing this is good? :D

0

oh and on the restart it asked me if I want to start the recovery console? what is this? is it good?

Did you install the recovery console when you first ran combofix?

==


Congratulations! Your log looks clean.

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.

  1. Uncheck "Cookies" under "Internet Explorer".
  2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
  3. Close when finished.

====

An alternative to Ccleaner is ATF Cleaner.
Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

====

Use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera, which in my opinion, is better still.

====

Use a firewall. It is an essential part of your computers security. There is a link to a good, free firewall in my signature.

====

Install and keep updated,
Spybot S&D.
Run it on a regular basis, following the maker's recommendations.

====

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

====

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

=====

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

Please mark this thread as solved if all is well.

If you have any more problems, post back.

-

Happy surfing,

crunchie.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.