Recent problem: Slowdown, viruses of some sort, and many other things.

Question

Ayenima 0 Newbie Poster

16 Years Ago

I share this computer with my roomate, and we both pretty much spend the same amount of time on it. Recently I've been experiencing huge slowdown. Today it got so much worse. I noticed something called the Mirar toolbar that I couldn't disable, and any of my actions took minutes to complete that would normally take a second. So I googled "how to remove Mirar toolbar" and that eventually lead to me downloading Spyware Doctor. It picked up a few things but I can't remove them without being registered. I get maybe 30 Malicious Actions blocked a minute, and it's incredibly annoying.AVG Anti Virus is doing a scan now but it hasn't picked up anything yet.

Attached is a HijackThis log, if anyone could help me it would be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:42:09 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Larry\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll
O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [jiahus] C:\WINDOWS\system32\svchcs.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\system32\jkhfe.dll
O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html
--
End of file - 8745 bytes

windows-virus

2 Contributors
23 Replies
343 Views
6 Days Discussion Span
Latest Post 16 Years Ago Latest Post by gerbil

All 23 Replies

gerbil 216 Industrious Poster

16 Years Ago

Holy Cow!! What a selection!
First things first, so please do these things in this order:
For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please? And move it to a new folder, say alongside your pgm files folder.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Read the log - if any files it found were not deleted re-run Vundofix until they are all deletion attempts are successful.
Post the contents of C:\vundofix.txt plus a new HijackThis log.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
...or this new one: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Do you have a special desktop backgound? Or is there a new one you did not put there? If that O24 entry means nothing to you, rclick on a blank space on your desktop, go properties, desktop, customize desktop, web, select all components you do not want and delete them. Then navigate to this file and delete it:
C:\Program Files\Internet Explorer\rteremejyfs.html
Come back with those logs..
Btw, I hope you set AVG AS recommended actions to Quarantine....

gerbil 216 Industrious Poster

16 Years Ago

Post the contents of C:\vundofix.txt. Plus a fresh hijackthis log. And we've barely started on the fix...

gerbil 216 Industrious Poster

16 Years Ago

That's ok, still a lot of work to do. Run vundofix again please, and post only the vundofix log.

gerbil 216 Industrious Poster

16 Years Ago

I assume imsubtle is hijackthis? Cool. :) I'm not so subtle.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
==Okay, this time we'll point VundoFix at the remaing vundo pest: Start Vundofix,
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\system32\opnmlmm.dll

Click the Add Files button, and next the Remove Vundo button.*****

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt
==Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\opnmlmm.dll
O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll

Good.
==Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\system32\svch0st.exe
C:\Program Files\Outerinfo\Outerinfo.exe
C:\Program Files\Internet Explorer\rteremejyfs.html

Folders to delete:
C:\Program Files\Outerinfo
_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
==Did you carry out the last part of my first post to you re the desktop file?
Please post that log file, plus the new vundofix log and a fresh hijackthis log..

gerbil 216 Industrious Poster

16 Years Ago

You're doing fine.
That O20? vundofix deleted its file.
Okay, couple more things to fix [incl one I missed putting in cos I was at the time wondering if it was a vundo file..]
Fix these and then restart your sys:

O2 - BHO: (no name) - {D103A75C-9439-48F6-B35A-1804CAD065ED} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html

Do a scan and note if the second entry comes back. Let me know.
The last one - I do not know if this is something to do with the Beta version you are using or not, I would have thought it would not reappear if you deleted the file. Please check the file has not reappeared, and let me know.
Actually, it would not hurt to load this file into Vundofix as you did the previous one and let it look at it:
C:\WINDOWS\system32\bxvymww.dll -show mw the result.

I do not see any resident antivirus service in your sys. Please go into safe mode and run AVG AS -under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
And next, with Windows firewall activated at least, go to one of these sites and get an AV!! Now.
AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html
Done that? Now get a firewall, a real one, Zonealarm or Kerio.
And Spywareblaster.
JAVA Update:
==Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.1 is current....

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Ayenima 0 Newbie Poster · Answer 1 · 2007-06-26T09:29:46+00:00

Vundofix found 3 vundo, entitled "efhkj.bak1.bad" "efhkj.ini.bad" and "jkhfe.dll.bad"

When you say "logs" do you mean from HijackThis?

Here's the log from ComboFix.

ComboFix 07-06-18.2 - C:\Documents and Settings\Larry\Desktop\ComboFix.exe
"Larry" - 2007-06-25 23:06:44 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\inetget2
C:\Program Files\Internet Explorer\rteremejyfs.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\Outerinfo.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\OuterinfoUpdate.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\web buying
C:\Program Files\web buying\v1.7.4\wbuninst.exe
C:\Program Files\web buying\v1.7.4\webbuying.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\core

((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))

2007-06-25 23:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 22:58 <DIR> d-------- C:\Program Files\CCleaner
2007-06-25 22:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-25 21:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-25 20:41 1,308,216 --a------ C:\Program Files\imsubtle.exe
2007-06-25 20:24 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-25 20:24 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-25 20:24 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-25 20:24 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-25 20:24 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-25 20:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\PC Tools
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-25 20:23 31,254 --a------ C:\WINDOWS\system32\xxyvsrr.dll
2007-06-25 20:18 <DIR> d-------- C:\Program Files\WinPop
2007-06-25 20:15 31,254 --a------ C:\WINDOWS\system32\opnmlmm.dll
2007-06-25 20:15 172,544 --a------ C:\WINDOWS\system32\bxvymww.dll
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B4
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B3
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B2
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B1
2007-06-25 20:15 <DIR> d-------- C:\Temp\iee
2007-06-25 20:15 <DIR> d-------- C:\Temp
2007-06-25 00:50 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-06-24 22:05 <DIR> d-------- C:\Program Files\Psicraft
2007-06-24 22:05 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Psicraft
2007-06-24 21:35 <DIR> d-------- C:\Program Files\Line6
2007-06-24 21:35 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Line 6

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-26 03:22:22 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Xfire
2007-06-26 03:21:56 -------- d-s---w C:\Program Files\Xfire
2007-06-26 02:51:45 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-06-26 02:46:32 -------- d-----w C:\Program Files\Google
2007-06-26 00:35:57 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Google
2007-06-26 00:15:29 -------- d-----w C:\Program Files\Windows NT
2007-06-23 13:41:51 -------- d-----w C:\Program Files\World of Warcraft
2007-06-19 19:04:30 -------- d-----w C:\Program Files\GCH Guitar academy
2007-06-19 03:43:07 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\IGN_DLM
2007-06-16 05:16:32 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2007-06-08 03:42:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-02 22:58:50 -------- d-----w C:\Program Files\Steam
2007-05-20 00:20:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 01:51:20 -------- d-----w C:\Program Files\AGEIA Technologies
2007-05-09 01:51:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-09 01:46:54 -------- d-----w C:\Program Files\Timeline Interactive
2007-05-05 06:52:33 -------- d-----w C:\Program Files\e frontier
2007-04-27 18:30:05 -------- d-----w C:\Program Files\Common Files\Alias Shared
2007-04-27 18:28:06 -------- d-----w C:\Program Files\Autodesk
2007-04-27 00:17:01 -------- d-----w C:\Program Files\Alias
2007-04-27 00:10:28 -------- d-----w C:\Program Files\Common Files\AliasWavefront Shared
2007-04-27 00:07:41 -------- d--h--w C:\Program Files\Zero G Registry
2007-04-26 22:12:43 -------- d-----w C:\Program Files\eMedia Guitar Method 1
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 17:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 17:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 17:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 17:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 17:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 17:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 17:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 17:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 17:26:00 5,255,168 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-04-19 17:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 17:26:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-04-19 17:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 17:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 17:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 17:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-04-19 17:26:00 3,203,072 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-04-19 17:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 17:26:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-04-19 17:26:00 270,336 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-04-19 17:26:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-04-19 17:26:00 253,952 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-04-19 17:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 17:26:00 221,184 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 17:26:00 2,973,696 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-04-19 17:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-02-23 07:57:59 88 --sh--r C:\WINDOWS\system32\4BFB238848.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 11:28]
{4A168249-1BF9-4A1D-965C-3EC04A69736B}=C:\Program Files\Windows NT\mewofyn83122.dll [2007-06-18 14:59]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}=C:\WINDOWS\system32\WinNB58.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\system32\opnmlmm.dll [2007-06-25 20:15]
{E62D925C-87E0-41DB-8EAF-4019C079FD96}=C:\WINDOWS\system32\jkhfe.dll []
{f692398e-2c9c-4a4d-96e8-b1520eeac2c8}=C:\WINDOWS\system32\bxvymww.dll [2007-06-25 20:15]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" []
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"Cmaudio"="cmicnfg.cpl" []
"@"="" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"atwtusb"="atwtusb.exe" [2005-02-03 10:37 C:\WINDOWS\system32\atwtusb.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpData"="C:\WINDOWS\system32\svch0st.exe" []
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 18:22]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Steam"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49]
"Outerinfo"="C:\Program Files\Outerinfo\Outerinfo.exe" []
"OuterinfoUpdate"="C:\Program Files\Outerinfo\OuterinfoUpdate.exe" []
"WinPop"="C:\Program Files\WinPop\winpop.exe" [2007-06-25 20:18]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-25 20:30]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\rteremejyfs.html
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\opnmlmm.dll" [2007-06-25 20:15]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmlmm]
opnmlmm.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a15a5a0-aa57-11db-a05a-9ccc57198468}]
AutoRun\command- F:\LaunchU3.exe -a

**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 23:21:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-25 23:23:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-25 23:23
--- E O F ---

Sadly, Mirar and all it's little pop-up pals are still bugging me almost constantly, but there is definitely a change in performance so far.

Ayenima 0 Newbie Poster · Answer 2 · 2007-06-26T09:38:52+00:00

Post the contents of C:\vundofix.txt

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.10
Scan started at 4:29:54 PM 4/30/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 8:25:04 PM 6/25/2007
Listing files found while scanning....

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 10:15:58 PM 6/25/2007
Listing files found while scanning....
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\jkhfe.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 10:53:31 PM 6/25/2007
Listing files found while scanning....
No infected files were found.

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:30:09 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\imsubtle.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\opnmlmm.dll
O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html
--
End of file - 7663 bytes

I didn't mean to imply that this was going slow or anything, I just wanted to say that my computer has sped up by a bit.

Ayenima 0 Newbie Poster · Answer 3 · 2007-06-26T09:57:04+00:00

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:55:17 PM 6/25/2007
Listing files found while scanning....
No infected files were found.

Ayenima 0 Newbie Poster · Answer 4 · 2007-06-26T10:54:00+00:00

Avenger Log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sabnfpwk
*******************
Script file located at: \??\C:\WINDOWS\gupbmjui.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

File C:\WINDOWS\system32\svch0st.exe not found!
Deletion of file C:\WINDOWS\system32\svch0st.exe failed!
Could not process line:
C:\WINDOWS\system32\svch0st.exe
Status: 0xc0000034

Could not open file C:\Program Files\Outerinfo\Outerinfo.exe for deletion
Deletion of file C:\Program Files\Outerinfo\Outerinfo.exe failed!
Could not process line:
C:\Program Files\Outerinfo\Outerinfo.exe
Status: 0xc000003a
File C:\Program Files\Internet Explorer\rteremejyfs.html deleted successfully.

Folder C:\Program Files\Outerinfo not found!
Deletion of folder C:\Program Files\Outerinfo failed!
Could not process line:
C:\Program Files\Outerinfo
Status: 0xc0000034

Completed script processing.
*******************
Finished! Terminate.

Hijack This Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:49:12 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\imsubtle.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {D103A75C-9439-48F6-B35A-1804CAD065ED} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html
--
End of file - 6296 bytes

VundoFix Log

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 12:28:06 AM 6/26/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnmlmm.dll
C:\WINDOWS\system32\opnmlmm.dll Has been deleted!
Performing Repairs to the registry.
Done!

I did a scan before rclicking the white box, I misread your post and removed the 3 items it had. It restarted and deleted one of them, and then I right clicked the white box, and continued following your directions.

And if you meant:

rclick on a blank space on your desktop, go properties, desktop, customize desktop, web, select all components you do not want and delete them. Then navigate to this file and delete it:
C:\Program Files\Internet Explorer\rteremejyfs.html

Yes, I went to that folder and deleted it, which was quite simple.

One problem I encountered was fixing

O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll

I couldn't find it, the numbers went from 16 to 22 with nothing in between.

Ayenima 0 Newbie Poster · Answer 5 · 2007-06-26T12:31:08+00:00

Okay everything is done with the exception of the AVG AS scan. There are multple scan choices, which did you want me to pick?

Do a scan and note if the second entry comes back. Let me know.

O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html

This came back a second time.

I just installed AVG Free 7.5, and here is my Vundo Fix log. As I can't tell what is an old addition to the log and what is new, I'll have to post the entire thing.

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:55:17 PM 6/25/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 12:28:06 AM 6/26/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnmlmm.dll
C:\WINDOWS\system32\opnmlmm.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bxvymww.dll
C:\WINDOWS\system32\bxvymww.dll Has been deleted!
Performing Repairs to the registry.
Done!

gerbil 216 Industrious Poster · Answer 6 · 2007-06-27T09:44:12+00:00

Hi, Ayenima, let's continue... since something is interfering with your desktop this next pgm should root out other, like processes:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
If you have not run AVG AS yet hold off for a moment until I see this log.

Ayenima 0 Newbie Poster · Answer 7 · 2007-06-27T11:54:07+00:00

SmitFraudFix v2.197
Scan done at 1:53:41.67, Wed 06/27/2007
Run from C:\Documents and Settings\Larry\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Larry

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Larry\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Larry\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\rteremejyfs.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Instant Wireless USB Network Adapter ver.2.6 #2 - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
Description: Instant Wireless USB Network Adapter ver.2.6 #2 - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
Description: Instant Wireless USB Network Adapter ver.2.6 #2 - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0736B882-5441-4366-A496-4FBF55969319}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5BA24600-FF63-41E1-9506-53AA69F2492B}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{852E3730-E396-4A83-B2A8-D38ED4606B92}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0736B882-5441-4366-A496-4FBF55969319}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5BA24600-FF63-41E1-9506-53AA69F2492B}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{852E3730-E396-4A83-B2A8-D38ED4606B92}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0736B882-5441-4366-A496-4FBF55969319}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5BA24600-FF63-41E1-9506-53AA69F2492B}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{852E3730-E396-4A83-B2A8-D38ED4606B92}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Theres the log.

Ayenima 0 Newbie Poster · Answer 8 · 2007-06-27T13:02:26+00:00

For the record, I didn't mean that last part to be hostile in any way, just stating what it is :-P

gerbil 216 Industrious Poster · Answer 9 · 2007-06-27T16:21:04+00:00

Hi, Ayenima, I'm not taking offence at anything...
Could you please delete ComboFix.exe that you downloaded = C:\Documents and Settings\Larry\Desktop\ComboFix.exe, plus C:\Combofix.txt and the C:\Qoobox folder.
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes, press Yes to bypass System Restore.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using your account if an administrator, otherwise use the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Instead of running a fix with the Smitfraud tool, merely go Start, run, type cmd and press Enter, then paste this line into the window after the prompt and press Enter:

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0" /f

Close the window.
==Start AVG AS and do a complete system scan [ensure recommended action is set to Quarantine as I mentioned before]. Save the log.

Start Avenger, select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\Program Files\Windows NT\mewofyn83122.dll
C:\Program Files\Internet Explorer\rteremejyfs.html
C:\WINDOWS\system32\xxyvsrr.dll

Folders to delete:
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\system32\B4
C:\WINDOWS\system32\B3
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B1
C:\Temp\iee
C:\Temp
_____________________________________
...and click Done, and finally the green light.

Restart in normal mode, make a fresh hijackthis log, post it plus Avenger, and AVG logs.

Ayenima 0 Newbie Poster · Answer 10 · 2007-06-28T03:05:29+00:00

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:02:02 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\imsubtle.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 6660 bytes

Avenger Log

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Error: could not create zip file.
Error code: 1813
//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vugfjiuf
*******************
Script file located at: \??\C:\Program Files\skkkxkkn.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Program Files\Windows NT\mewofyn83122.dll deleted successfully.

File C:\Program Files\Internet Explorer\rteremejyfs.html not found!
Deletion of file C:\Program Files\Internet Explorer\rteremejyfs.html failed!
Could not process line:
C:\Program Files\Internet Explorer\rteremejyfs.html
Status: 0xc0000034

File C:\WINDOWS\system32\xxyvsrr.dll not found!
Deletion of file C:\WINDOWS\system32\xxyvsrr.dll failed!
Could not process line:
C:\WINDOWS\system32\xxyvsrr.dll
Status: 0xc0000034
Folder C:\WINDOWS\system32\o02PrEz deleted successfully.
Folder C:\WINDOWS\system32\win deleted successfully.
Folder C:\WINDOWS\system32\B4 deleted successfully.
Folder C:\WINDOWS\system32\B3 deleted successfully.
Folder C:\WINDOWS\system32\B2 deleted successfully.
Folder C:\WINDOWS\system32\B1 deleted successfully.
Folder C:\Temp\iee deleted successfully.
Folder C:\Temp deleted successfully.
Completed script processing.
*******************
Finished! Terminate.//////////////////////////////////////////

AVG AS Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:56:33 PM 6/27/2007
+ Scan result:

C:\Program Files\backups\backup-20070626-014558-756.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568639.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\VundoFix Backups\bxvymww.dll.bad -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\backups\backup-20070626-004415-558.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568611.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Program Files\WinPop\winpop.exe -> Adware.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568496.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568600.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\opnmlmm.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xxyvsrr.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\B3\wr620.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568492.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\B2\wen2.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Larry\Cookies\larry@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\WinPop\UnInstall.exe -> Trojan.Small.oa : Cleaned with backup (quarantined).

::Report end

While it was set to Quarantine everything (including the default action), the Trackers remained at Delete.

gerbil 216 Industrious Poster · Answer 11 · 2007-06-28T18:12:59+00:00

Hi, Ayenima, that took care of a lot. Please do these things:
Delete the files held in AVG quarantine.
Delete C:\VundoFix Backups
Fix these with hijackthis:

O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Now do a search for any files in your C: drive with "mirar" as a search string, delete any you find [be sensible about that..]
System Restore Points Clearance:
==Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
Run CCleaner again, and as a final check please do the Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Ayenima 0 Newbie Poster · Answer 12 · 2007-06-29T13:01:15+00:00

Everything done except for the Panda scan, it closes randomly, and I don't know whats causing it. The first time I ran a scan I went to bed and woke up a few hours later, I came back to my computer (which was locked) and discovered the scan had disappeared. I've tried it twice more and again the same issue, it randomly closes. It gets to about 20%, with 19 Spyware and 2 Hacking Tools and Utilities found before it exits.

gerbil 216 Industrious Poster · Answer 13 · 2007-06-29T19:50:50+00:00

Ah, Ayenima, the fun of it all...yeah. Sometimes you win through by plugging away with the same tools; each time they run they get a little bit further.
Let's try this path:
==Run CCleaner, than try a run of AVG AS, Fast system scan. Then try Panda again, it should take no more than an hour for a typical sys, but what is that anyway?
If it fails again try this site for ComboFix [the earlier site you used does not seem to have the latest detections incorporated...]
Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Panda still will not run? Then go to this site for an excellent alternative scanner: http://www.kaspersky.com/virusscanner
Unfortunately with this one if it finds a virus or trojan it will just list it.
Come back with how you get on...

Ayenima 0 Newbie Poster · Answer 14 · 2007-07-01T11:13:59+00:00

ComboFix Log

."Larry" - 2007-06-30 15:54:39 - ComboFix 07-06-27.7 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\winpop

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))

2007-06-30 02:36 <DIR> d-------- C:\Burning Crusade
2007-06-28 14:42 <DIR> d-------- C:\Program Files\CCleaner
2007-06-27 14:31 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-27 01:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-27 01:53 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-27 01:53 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-27 01:53 2,482 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-26 00:44 <DIR> d-------- C:\Program Files\backups
2007-06-25 23:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 22:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-25 21:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-25 20:41 1,308,216 --a------ C:\Program Files\imsubtle.exe
2007-06-25 20:24 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-25 20:24 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-25 20:24 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-25 20:24 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-25 20:24 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-25 20:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\PC Tools
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-25 00:50 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-06-24 22:05 <DIR> d-------- C:\Program Files\Psicraft
2007-06-24 22:05 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Psicraft
2007-06-24 21:35 <DIR> d-------- C:\Program Files\Line6
2007-06-24 21:35 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Line 6
2007-05-08 21:53 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-05-08 21:53 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-05-08 21:53 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-05-08 21:53 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-05-08 21:53 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-08 21:53 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-05-08 21:52 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-05-08 21:51 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-05-08 21:51 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-05-08 21:46 <DIR> d-------- C:\Program Files\Timeline Interactive
2007-05-05 02:55 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-05-05 02:52 <DIR> d-------- C:\Program Files\e frontier
2007-05-01 18:24 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-30 19:52:38 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Xfire
2007-06-30 07:49:58 -------- d-s---w C:\Program Files\Xfire
2007-06-30 07:44:47 -------- d-----w C:\Program Files\NavNT
2007-06-30 07:44:47 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-06-30 07:44:22 -------- d-----w C:\Program Files\AIM
2007-06-29 06:29:50 -------- d-----w C:\Program Files\World of Warcraft
2007-06-29 05:12:10 -------- d-----w C:\Program Files\Total Video Converter
2007-06-28 07:47:50 -------- d-----w C:\Program Files\Steam
2007-06-27 20:59:37 -------- d-----w C:\Program Files\Windows NT
2007-06-26 03:40:17 -------- d-----w C:\Program Files\BraveTree
2007-06-26 03:35:42 -------- d-----w C:\Program Files\Google
2007-06-26 02:51:45 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-06-26 00:35:57 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Google
2007-06-19 19:04:30 -------- d-----w C:\Program Files\GCH Guitar academy
2007-06-19 03:43:07 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\IGN_DLM
2007-06-16 05:16:32 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2007-06-08 03:42:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-20 00:20:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 01:51:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 17:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 17:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 17:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 17:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 17:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 17:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 17:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 17:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 17:26:00 5,255,168 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-04-19 17:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 17:26:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-04-19 17:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 17:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 17:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 17:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-04-19 17:26:00 3,203,072 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-04-19 17:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 17:26:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-04-19 17:26:00 270,336 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-04-19 17:26:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-04-19 17:26:00 253,952 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-04-19 17:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 17:26:00 221,184 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 17:26:00 2,973,696 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-04-19 17:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 17:26:00 2,859,008 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-04-19 17:26:00 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
2007-04-19 17:26:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 17:26:00 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
2007-02-23 07:57:59 88 --sh--r C:\WINDOWS\system32\4BFB238848.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 11:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" []
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"Cmaudio"="cmicnfg.cpl" []
"@"="" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"atwtusb"="atwtusb.exe" [2005-02-03 10:37 C:\WINDOWS\system32\atwtusb.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-26 02:30]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 18:22]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Steam"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a15a5a0-aa57-11db-a05a-9ccc57198468}]
AutoRun\command- F:\LaunchU3.exe -a

**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 15:58:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-30 15:58:39
C:\ComboFix-quarantined-files.txt ... 2007-06-25 23:23
--- E O F ---

Kaspersky log

Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerA:\
C:\
D:\
E:\ Scan StatisticsTotal number of scanned objects166298Number of viruses found2Number of infected objects7Number of suspicious objects0Duration of the scan process02:30:44
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\021C0000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02680000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02A80000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04A00000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\Larry\Application Data\Aim\lwbhvxqj\stormreaver226\cert8.db Object is locked skipped C:\Documents and Settings\Larry\Application Data\Aim\lwbhvxqj\stormreaver226\key3.db Object is locked skipped C:\Documents and Settings\Larry\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Larry\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Larry\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Larry\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Larry\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Larry\Local Settings\History\History.IE5\MSHist012007063020070701\index.dat Object is locked skipped C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Larry\ntuser.dat Object is locked skipped C:\Documents and Settings\Larry\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\World of Warcraft\Logs\gx.log Object is locked skipped C:\Program Files\World of Warcraft\Logs\Sound.log Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP308\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\TempFile Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

gerbil 216 Industrious Poster · Answer 15 · 2007-07-01T18:56:18+00:00

Ayenima, you will have to guide me here... I assume because you used Kaspersky that panda is still not running? Combofix removed a winpop folder, and otherwise shows nothing; K picked up 4 contents of Norton's Quarantine folder - you should delete those from here:
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\
-plus a Smitfraudfix process [3 times] which is not a problem - you may delete Sm.zip, Sm.exe.
Mirar should be gone, are there any popups still occurring? Is your sys back to normal?
Show me a fresh hijackthis log, if you will.

Ayenima 0 Newbie Poster · Answer 16 · 2007-07-01T23:53:02+00:00

I couldn't find Application Data, so I did a search in C:\ for folders with the name Quarantine having anything to do with Norton.

And to answer your question, yes, Panda would still not work.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:52:39 PM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\imsubtle.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 6547 bytes

Ayenima 0 Newbie Poster · Answer 17 · 2007-07-02T06:29:24+00:00

Sorry, missed part of that, yes the pop-ups stopped.

gerbil 216 Industrious Poster · Answer 18 · 2007-07-02T07:01:48+00:00

You don't have this path on your sys?
C:\Documents and Settings\All Users\Application Data\
Gee... yours is well customised, then.
Your log is clean, and if there are no popups, well, may we say no problem exists now? To clean out Norton remnants [there is still a service trying to run..] do this:
Go start, run, type cmd and press Enter. Paste in these two lines pressing Enter after each, then close the window:

sc stop Norton AntiVirus Server
sc delete Norton AntiVirus Server

Do that even if you decide to reinstall Norton, in which case you must remove AVG Free.
.. I wonder if that was halting Panda's scan..? Do a search using "panda" as the search string in C:\ and delete the 4? components you find. If you retry the site then it may well work.

Recent problem: Slowdown, viruses of some sort, and many other things.

Recommended Answers Collapse Answers

All 23 Replies

Recommended Answers