Member Avatar for jeremy032180

Hello all. First off I'm new here and I hope to stay and contribute where I can. Seems like a cool site for PC Slaves like myself.

Now here is my very frustrating problem.

About 2 months ago I got a nasty little virus off of a site called packetnews.com (Block that site). It was the WinAntiVirus2007 thing, which kept taking me to that pop-up. I downloaded a few programs like ComboFixer, VundoFix.exe, dss.exe, avg anti-spyware, spybot, etc.

Now I got rid of that (I think), as I don't get pop-ups to that WinAntiVirus anymore. I am however, getting lots of pop-ups for OTHER sites. And I think one time I saw one for WinAntiVirus, so it might still be in here.

So, aside from the pop-ups, which cause my pc to freeze up for a few seconds every few seconds, I have another problem. My computer freezes up a lot on Internet Explorer, and after checking the task mangaer, the problem is the 'SYSTEM' process. Please note this is not the System IDLE process, this is THE 'System' process. It goes to like 60-80% when a page is loading, which causes a mass freeze on my system.

Also in Task Manager in my processes there are the following things I'm not sure about:

dnxooyuv.exe - I delete it or terminate process treee and it comes RIGHT back.

Linksys WUSB11cfg.exe & NICServ.exe - I note this because when I start Windows sometimes it tells me my Linksys is 'Missing files needed to run' and I have to go activate the Linksys device by finding it in my Start>Programs file.

Lastly sometimes I get 'New Programs Installed' on my Start menu, and they are all old programs I've had for long time, yet highlighted and called 'new'.

I know this was a long read but I'm really either going to smash my mouse into the wall or hopefully someone out here can help me. Attached is my HJT log. Thanks in advance to anyone who can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:06 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\tfcseayy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\2020V64\Mswin\60\ttSecurityManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\2020V64\Mswin\60\design.exe
C:\Program Files\Century\TinyTERM\tt.exe
C:\Documents and Settings\Faye\Desktop\analyze.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sirius.com/sirius/servlet/MediaPlayer?stream=&
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=mljgg.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3EBAAF22-1AF4-4EF4-92D3-B14E816A5281} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {446DA5D9-DAD1-490B-B170-25068D83D81E} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: (no name) - {4B02F629-7CCA-478D-905F-D8FC24EF9434} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A8F8B16-9661-4A3B-BC8A-789B92AAEB0E} - C:\WINDOWS\system32\ddcyx.dll
O2 - BHO: (no name) - {7872AAB4-379D-4390-B025-331C31CCFBBC} - C:\WINDOWS\system32\ddaba.dll
O2 - BHO: (no name) - {7B8FCBD4-FBB3-4F7C-9EA6-98D4610214FC} - C:\WINDOWS\system32\mljjk.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80C568B2-E5A9-43AE-B80D-98D32906EA91} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: (no name) - {877962C5-9249-49AB-BED1-FAFBB7521067} - C:\WINDOWS\system32\jkkll.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\bnvfbsml.dll
O2 - BHO: (no name) - {8CE76EC7-77CB-41DA-98B8-95D0A948DB4B} - C:\WINDOWS\system32\mljgh.dll
O2 - BHO: (no name) - {93685282-C8E5-41A3-A5FC-83270918AE64} - C:\WINDOWS\system32\vtsqq.dll
O2 - BHO: (no name) - {95B8B946-4A20-48A5-81C7-F233C14DDD02} - C:\WINDOWS\system32\jkklk.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A17B5809-5F76-4372-8D3A-9BEC927E366A} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {AAFA471D-55B6-4C37-BBAE-541EE3CA3864} - C:\WINDOWS\system32\ssqpm.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C40AB3CF-A683-4F09-AA70-71BB2F402874} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: (no name) - {D29BF76B-8BD3-4BD1-895A-2709535A9FD1} - C:\WINDOWS\system32\gebca.dll
O2 - BHO: (no name) - {D2D451E2-8EA1-4466-B934-A4D6BB63E6E5} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqnoom.dll
O2 - BHO: (no name) - {F46552DE-F883-4BE0-A557-595D334C9759} - C:\WINDOWS\system32\ssqpo.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [70c0093d] rundll32.exe "C:\WINDOWS\system32\irsakfya.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/setup/ntractivex118_24.cab
O20 - Winlogon Notify: ssqnoom - C:\WINDOWS\SYSTEM32\ssqnoom.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService -   - C:\WINDOWS\system32\tfcseayy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 9895 bytes
  • 3 Contributors
  • 12 Replies
  • 210 Views
  • 6 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 12 Replies

Member Avatar for crunchie

Hi and welcome to Daniweb forums :).

Please paste your logs here next time rather than attaching them.

Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe

1. Make sure that Combofix is downloaded to and run from, your desktop.

2. Double click combofix.exe & follow the prompts.
3. When finished, ComboFix generates a pop up log which can also be found at C:\ComboFix.txt. Post that log in your next reply, along with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Member Avatar for jeremy032180

Hello Crunchie. Thanks for the reply.

I apologize for attaching the log last time, in the future I'll always post them.

Here are the two logs you asked for, first up is the ComboFix log:

ComboFix 07-11-08.1 - Faye 2007-11-09  7:55:52.1 - NTFSx86 
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.89 [GMT -5:00]
Running from: C:\Documents and Settings\Faye\My Documents\ComboFixx.exe
 * Created a new restore point
.

    Unable to gain System Privileges

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\Common Files\okkq
C:\Program Files\Common Files\okkq\okkqa.exe
C:\Program Files\Common Files\okkq\okkqd\class-barrel
C:\Program Files\Common Files\okkq\okkqd\okkqc.dll
C:\Program Files\Common Files\okkq\okkqd\vocabulary
C:\Program Files\Common Files\okkq\okkql.exe
C:\Program Files\Common Files\okkq\okkqm.exe
C:\Program Files\Common Files\okkq\okkqp.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\okkq
C:\WINDOWS\okkq\okkq.dat
C:\WINDOWS\okkq\wu
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\bawhbcgi.exe
C:\WINDOWS\system32\bjghiljk.exe
C:\WINDOWS\system32\bnvfbsml.dll
C:\WINDOWS\system32\bsqvabtf.exe
C:\WINDOWS\SYSTEM32\cdeeg.bak1
C:\WINDOWS\SYSTEM32\cdeeg.ini
C:\WINDOWS\system32\ctkyshqj.exe
C:\WINDOWS\system32\D2
C:\WINDOWS\system32\dnxooyuv.exe
C:\WINDOWS\system32\etrnfowj.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\SYSTEM32\grgnhpxk.ini
C:\WINDOWS\system32\hgugoouh.dll
C:\WINDOWS\system32\hjtosnob.exe
C:\WINDOWS\SYSTEM32\huoogugh.ini
C:\WINDOWS\system32\iexegqju.exe
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\SYSTEM32\jmllm.bak1
C:\WINDOWS\SYSTEM32\jmllm.ini
C:\WINDOWS\SYSTEM32\klkkj.bak1
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\system32\kxphngrg.dll
C:\WINDOWS\SYSTEM32\llkkj.bak2
C:\WINDOWS\SYSTEM32\llkkj.ini
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\SYSTEM32\mmllm.bak1
C:\WINDOWS\SYSTEM32\mmllm.ini
C:\WINDOWS\SYSTEM32\mpqss.bak1
C:\WINDOWS\SYSTEM32\mpqss.ini
C:\WINDOWS\SYSTEM32\nnnmp.bak1
C:\WINDOWS\SYSTEM32\nnnmp.ini
C:\WINDOWS\system32\nwinsldt.exe
C:\WINDOWS\system32\ooejkqeu.exe
C:\WINDOWS\SYSTEM32\opqss.bak1
C:\WINDOWS\SYSTEM32\opqss.bak2
C:\WINDOWS\SYSTEM32\opqss.ini
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\SYSTEM32\pqtwa.bak1
C:\WINDOWS\SYSTEM32\pqtwa.ini
C:\WINDOWS\system32\qmadmnte.exe
C:\WINDOWS\SYSTEM32\qqstv.bak1
C:\WINDOWS\SYSTEM32\qqstv.ini
C:\WINDOWS\system32\qrrnibyq.exe
C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\system32\qwhcnhvb.exe
C:\WINDOWS\system32\sablilmp.exe
C:\WINDOWS\system32\ssqnoom.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\thimqadh.exe
C:\WINDOWS\system32\tthjuqlf.exe
C:\WINDOWS\system32\utsffgfq.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\wllaevoi.exe
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\wybeg.ini
C:\WINDOWS\system32\ysrwfldh.exe
C:\WINDOWS\SYSTEM32\yybeg.bak1
C:\WINDOWS\SYSTEM32\yybeg.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Created from 2007-10-09 to 2007-11-09  )))))))))))))))))))))))))))))))
.

2007-11-09 07:41    77,888  --a------   C:\WINDOWS\SYSTEM32\afrdncoo.dll
2007-11-09 07:11    88,128  --a------   C:\WINDOWS\SYSTEM32\qjfxdrtd.dll
2007-11-09 07:08    71,232  --a------   C:\WINDOWS\SYSTEM32\qedbokok.exe
2007-11-08 14:04    71,232  --a------   C:\WINDOWS\SYSTEM32\rlnbkyrp.exe
2007-11-08 12:41    71,232  --a------   C:\WINDOWS\SYSTEM32\uhbsbgop.exe
2007-11-08 06:57    71,232  --a------   C:\WINDOWS\SYSTEM32\rjyxsfso.exe
2007-11-07 09:03    71,232  --a------   C:\WINDOWS\SYSTEM32\tfcseayy.exe
2007-11-07 07:57    <DIR>    d--------   C:\Program Files\CCleaner
2007-11-06 08:03    87,104  --a------   C:\WINDOWS\SYSTEM32\htjsbixu.dll
2007-10-24 06:53    582,656 ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 17:11    ---------   d-----w C:\Program Files\Google
2007-11-07 13:31    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 18:46    ---------   d-----w C:\Documents and Settings\Faye\Application Data\AdobeUM
2007-09-25 16:36    ---------   d-----w C:\Program Files\MSN Messenger
2007-09-21 12:03    32,832  ----a-w C:\WINDOWS\SYSTEM32\mljgg.dll
2007-09-21 12:03    32,768  ----a-w C:\WINDOWS\SYSTEM32\srmlbzyt.dll
2007-09-21 12:03    3,584   ----a-w C:\WINDOWS\SYSTEM32\mljgg.exe
2007-09-12 13:10    ---------   d-----w C:\Program Files\Trend Micro
2007-09-11 11:54    246 ----a-w C:\Program Files\Common Files\qukaf
2007-08-21 06:15    683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15    683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04    824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04    671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04    63,488  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04    6,058,496   ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04    52,224  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04    477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04    459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04    44,544  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04    384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04    383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04    3,584,512   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04    27,648  ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04    267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04    232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04    230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04    214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04    193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04    153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04    132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04    124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04    105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04    102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04    1,152,000   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21    625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20    63,488  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20    13,824  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34    161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2006-09-07 13:56    6,144   --sha-w C:\Program Files\Thumbs.db
2005-12-27 13:44    2,770,856   ----a-w C:\Program Files\setupex.exe
2005-12-27 13:42    131,683 ----a-w C:\Program Files\wwe_sd_vs_raw_06_d.max
2005-12-16 16:37    39,936  ----a-w C:\Program Files\Dec[1]._05.xls
2005-12-14 19:28    8,965,894   ----a-w C:\Program Files\Roddy TD_0001.wmv
2005-12-06 13:18    22,796,394  ----a-w C:\Program Files\x-men_3-pre_teaser_h-1[1].640.wmv
2005-12-02 18:58    419,829 ----a-w C:\Program Files\ciri_miri_cica.pdf
2005-11-28 15:42    429,166 ----a-w C:\Program Files\Cetir'_Konja_Debela.pdf
2005-11-18 18:08    1,323,791   ----a-w C:\Program Files\awesomo.zip
2005-01-13 15:34    2,855,552   ----a-w C:\Program Files\PPView97.exe
2004-12-22 15:21    1,799,680   ----a-w C:\Program Files\Builder Distributor 1-3-2005.xls
2004-09-08 15:51    16,706,160  ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-09-08 15:21    4,342,088   ----a-w C:\Program Files\Acro-Reader_6.0.2_Update.exe
2004-05-13 21:38    19,584  ----a-w C:\Program Files\location.ini
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\RmF5ZQ\lAIctk.vbs
2004-01-21 20:57:00 734,982 --sha-w C:\WINDOWS\SYSTEM32\acbeg.bak1
2004-01-22 21:22:13 690,028 --sha-w C:\WINDOWS\SYSTEM32\ghhkj.bak1
2004-01-15 04:06:47 1,530,515   --sha-w C:\WINDOWS\SYSTEM32\hgjlm.bak1
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c17cb68-d814-4d91-9eb7-262102459a24}]
2007-11-09 07:41    77888   --a------   C:\WINDOWS\system32\afrdncoo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CE76EC7-77CB-41DA-98B8-95D0A948DB4B}]
2004-01-14 23:06    319072  --a------   C:\WINDOWS\system32\mljgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D29BF76B-8BD3-4BD1-895A-2709535A9FD1}]
2004-01-21 15:56    313440  --a------   C:\WINDOWS\system32\gebca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2D451E2-8EA1-4466-B934-A4D6BB63E6E5}]
2004-01-22 16:21    307808  --a------   C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-11-21 17:04]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-09-25 12:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-28 07:04]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 13:30]
"70c0093d"="C:\WINDOWS\system32\qjfxdrtd.dll" [2007-11-09 07:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 07:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk.disabled [2006-06-20 14:22:42] 
Adobe Gamma Loader.lnk.disabled [2006-01-17 08:30:47] 
Digital Line Detect.lnk.disabled [2004-03-19 07:31:36] 
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
Wireless-B USB Network Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe [2004-06-24 11:15:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Program Files\Common Files\rteses.html
FriendlyName= 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli mljgg.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe
"nwiz"=nwiz.exe /installquiet
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
R2 NICSer_WUSB11;NICSer_WUSB11;C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
R3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusb.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\system32\DRIVERS\vnet558x.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-22 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-11-09 14:25:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-11-09 09:18:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-09  9:27:47 - machine was rebooted 
C:\ComboFix-quarantined-files.txt ... 2007-09-13 08:40
C:\ComboFix2.txt ... 2007-09-13 08:40
C:\ComboFix3.txt ... 2007-07-20 07:49
.
    --- E O F ---





And now the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:34 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Faye\Desktop\analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.sirius.com/sirius/servlet/MediaPlayer?stream=&[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {42a95420-1262-7be9-19d4-418d86bc71c4} - {4c17cb68-d814-4d91-9eb7-262102459a24} - C:\WINDOWS\system32\afrdncoo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8CE76EC7-77CB-41DA-98B8-95D0A948DB4B} - C:\WINDOWS\system32\mljgh.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D29BF76B-8BD3-4BD1-895A-2709535A9FD1} - C:\WINDOWS\system32\gebca.dll
O2 - BHO: (no name) - {D2D451E2-8EA1-4466-B934-A4D6BB63E6E5} - C:\WINDOWS\system32\jkhhg.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [70c0093d] rundll32.exe "C:\WINDOWS\system32\qjfxdrtd.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/setup/ntractivex118_24.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 8141 bytes

Thanks again.

Edited by mike_2000_17 because: Fixed formatting
Member Avatar for wildfire_1971

hi all.

another very good anstispyware with a antivirus is spyware terminator what comes with a very usefull toolbar what tells you what websites are safe to visit and here is the link to the home website for spyware terminator.

http://www.spywareterminator.com/

and you all very welcomed for the link.

Member Avatar for crunchie

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\afrdncoo.dll
C:\WINDOWS\SYSTEM32\qjfxdrtd.dll
C:\WINDOWS\SYSTEM32\qedbokok.exe
C:\WINDOWS\SYSTEM32\rlnbkyrp.exe
C:\WINDOWS\SYSTEM32\uhbsbgop.exe
C:\WINDOWS\SYSTEM32\rjyxsfso.exe
C:\WINDOWS\SYSTEM32\tfcseayy.exe
C:\WINDOWS\SYSTEM32\htjsbixu.dll
C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
C:\WINDOWS\SYSTEM32\mljgg.dll
C:\WINDOWS\SYSTEM32\srmlbzyt.dll
C:\WINDOWS\SYSTEM32\mljgg.exe
C:\Program Files\Common Files\qukaf
C:\Program Files\setupex.exe
C:\WINDOWS\SYSTEM32\acbeg.bak1
C:\WINDOWS\SYSTEM32\ghhkj.bak1
C:\WINDOWS\SYSTEM32\hgjlm.bak1

Member Avatar for jeremy032180

Ok I'll do that, but how would you like me to post the results in here? There is 3 sections, a Service, Scanner Results, and Statistics. Do you need all 3? Just trying to make it easier for ya.

Thanks

Member Avatar for crunchie

Scanner results. They will either show what i found, or show nothing found :).

Member Avatar for jeremy032180

Hello again crunchie, Happy Monday to you. Here are the scan results you asked for. Thanks.


C:\WINDOWS\SYSTEM32\afrdncoo.dll
Scanner results
Scan taken on 12 Nov 2007 13:26:38 (GMT)
A-Squared Found nothing
AntiVir Found TR/BHO.SK
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found BHO.CNG
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found Vundo!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found nothing


C:\WINDOWS\SYSTEM32\qjfxdrtd.dll
Scanner results
Scan taken on 12 Nov 2007 13:30:02 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.ConHook.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Lop.3.J
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found Vundo.gen49
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\qedbokok.exe
Scanner results
Scan taken on 12 Nov 2007 13:34:15 (GMT)
A-Squared Found Heuristic.LOP
AntiVir Found TR/Fotomoto.F.1
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Obfustat.VUL
BitDefender Found Trojan.Fotomoto.F
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.EzulaAd
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.kp
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.kp
NOD32 Found Win32/Adware.Ezula application
Norman Virus Control Found W32/Virtumonde.IIO
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\rlnbkyrp.exe
Scanner results
Scan taken on 12 Nov 2007 13:38:07 (GMT)
A-Squared Found nothing
AntiVir Found TR/Fotomoto.F.1
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Obfustat.VUL
BitDefender Found Trojan.Fotomoto.F
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.EzulaAd
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.kp
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.kp
NOD32 Found Win32/Adware.Ezula application
Norman Virus Control Found W32/Virtumonde.IIO
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\uhbsbgop.exe
Scanner results
Scan taken on 12 Nov 2007 13:43:51 (GMT)
A-Squared Found Heuristic.LOP
AntiVir Found TR/Fotomoto.F.1
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Obfustat.VUL
BitDefender Found Trojan.Fotomoto.F
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.EzulaAd
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.kp
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.kp
NOD32 Found Win32/Adware.Ezula application
Norman Virus Control Found W32/Virtumonde.IIO
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\rjyxsfso.exe
Scanner results
Scan taken on 12 Nov 2007 13:47:33 (GMT)
A-Squared Found nothing
AntiVir Found TR/Fotomoto.F.1
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Obfustat.VUL
BitDefender Found Trojan.Fotomoto.F
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.EzulaAd
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.kp
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.kp
NOD32 Found Win32/Adware.Ezula application
Norman Virus Control Found W32/Virtumonde.IIO
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


This was the point where Jotti seemed to go down, and I got the following error message:

Error: unable to connect to database. The administrator has already been notified, it is not necessary to contact us.

At this point I switched to the VirusTotal.


C:\WINDOWS\SYSTEM32\tfcseayy.exe
Antivirus Version Last Update Result
AhnLab-V3 2007.11.12.0 2007.11.12 Win-Trojan/Fotomoto.71232
AntiVir 7.6.0.34 2007.11.12 TR/Fotomoto.F.1
Authentium 4.93.8 2007.11.10 -
Avast 4.7.1074.0 2007.11.11 -
AVG 7.5.0.503 2007.11.11 Obfustat.VUL
BitDefender 7.2 2007.11.12 Trojan.Fotomoto.F
CAT-QuickHeal 9.00 2007.11.12 Trojan.Obfuscated.kp
ClamAV 0.91.2 2007.11.12 -
DrWeb 4.44.0.09170 2007.11.12 Trojan.EzulaAd
eSafe 7.0.15.0 2007.11.08 Suspicious File
eTrust-Vet 31.2.5289 2007.11.12 -
Ewido 4.0 2007.11.12 -
FileAdvisor 1 2007.11.12 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.10 -
F-Secure 6.70.13030.0 2007.11.12 Trojan.Win32.Obfuscated.kp
Ikarus T3.1.1.12 2007.11.12 Trojan.Fotomoto.F
Kaspersky 7.0.0.125 2007.11.12 Trojan.Win32.Obfuscated.kp
McAfee 5160 2007.11.09 Vundo.dr
Microsoft 1.3007 2007.11.12 -
NOD32v2 2653 2007.11.12 Win32/Adware.Ezula
Norman 5.80.02 2007.11.09 W32/Virtumonde.IIO
Panda 9.0.0.4 2007.11.11 Spyware/Virtumonde
Prevx1 V2 2007.11.12 Malware.Gen
Rising 20.18.02.00 2007.11.12 -
Sophos 4.23.0 2007.11.12 -
Sunbelt 2.2.907.0 2007.11.09 -
Symantec 10 2007.11.12 Adware.Ezula
TheHacker 6.2.9.124 2007.11.12 -
VBA32 3.12.2.4 2007.11.11 -
VirusBuster 4.3.26:9 2007.11.11 -
Webwasher-Gateway 6.0.1 2007.11.12 Trojan.Fotomoto.F.1


At this point the VirusTotal stalled out, but Jotti was back up so I went back there:

C:\WINDOWS\SYSTEM32\htjsbixu.dll
Scanner results
Scan taken on 12 Nov 2007 14:48:13 (GMT)
A-Squared Found nothing
AntiVir Found TR/BHO.Agent.AV
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found BHO.CMQ
BitDefender Found Trojan.Agent.AFSH
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Adware.Virtumonde application
Norman Virus Control Found Vundo.gen49
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
Scanner results
Scan taken on 12 Nov 2007 15:00:23 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


C:\WINDOWS\SYSTEM32\mljgg.dll
Scanner results
Scan taken on 12 Nov 2007 15:05:53 (GMT)
A-Squared Found nothing
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found MULDROP.Trojan (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Behav-010
VirusBuster Found nothing
VBA32 Found nothing


C:\WINDOWS\SYSTEM32\srmlbzyt.dll
Scanner results
Scan taken on 12 Nov 2007 15:10:05 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found MULDROP.Trojan (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Behav-010
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\mljgg.exe
Scanner results
Scan taken on 12 Nov 2007 15:16:44 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\Program Files\Common Files\qukaf
Scanner results
Scan taken on 12 Nov 2007 15:20:52 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\Program Files\setupex.exe
Scanner results
Scan taken on 12 Nov 2007 15:29:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\acbeg.bak1
Scanner results
Scan taken on 12 Nov 2007 15:38:57 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\ghhkj.bak1
Scanner results
Scan taken on 12 Nov 2007 15:47:09 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM32\hgjlm.bak1
Scanner results
Scan taken on 12 Nov 2007 15:57:03 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Member Avatar for crunchie

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    O2 - BHO: {42a95420-1262-7be9-19d4-418d86bc71c4} - {4c17cb68-d814-4d91-9eb7-262102459a24} - C:\WINDOWS\system32\afrdncoo.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {8CE76EC7-77CB-41DA-98B8-95D0A948DB4B} - C:\WINDOWS\system32\mljgh.dll
    O2 - BHO: (no name) - {D29BF76B-8BD3-4BD1-895A-2709535A9FD1} - C:\WINDOWS\system32\gebca.dll
    O2 - BHO: (no name) - {D2D451E2-8EA1-4466-B934-A4D6BB63E6E5} - C:\WINDOWS\system32\jkhhg.dll

    O4 - HKLM\..\Run: [70c0093d] rundll32.exe "C:\WINDOWS\system32\qjfxdrtd.dll",b

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\afrdncoo.dll
C:\WINDOWS\SYSTEM32\qjfxdrtd.dll
C:\WINDOWS\SYSTEM32\qedbokok.exe
C:\WINDOWS\SYSTEM32\rlnbkyrp.exe
C:\WINDOWS\SYSTEM32\uhbsbgop.exe
C:\WINDOWS\SYSTEM32\rjyxsfso.exe
C:\WINDOWS\SYSTEM32\tfcseayy.exe
C:\WINDOWS\SYSTEM32\htjsbixu.dll
C:\WINDOWS\SYSTEM32\mljgg.dll
C:\WINDOWS\SYSTEM32\srmlbzyt.dll
C:\WINDOWS\SYSTEM32\mljgg.exe
C:\WINDOWS\SYSTEM32\ghhkj.bak1
C:\WINDOWS\SYSTEM32\hgjlm.bak1
C:\WINDOWS\SYSTEM32\mljgh.dll
C:\WINDOWS\SYSTEM32\gebca.dll
C:\WINDOWS\SYSTEM32\jkhhg.dll
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Member Avatar for jeremy032180

Hello again crunchie.

Here are the two logs you asked me to post after following your instructions.

ComboFix log:

ComboFix 07-11-08.1 - Faye 2007-11-13 14:57:48.2 - NTFSx86 
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.113 [GMT -5:00]
Running from: C:\Documents and Settings\Faye\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Faye\Desktop\CFScript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini

.
(((((((((((((((((((((((((   Files Created from 2007-10-13 to 2007-11-13  )))))))))))))))))))))))))))))))
.

2007-11-09 07:11    88,128  --a------   C:\WINDOWS\SYSTEM32\qjfxdrtd.dll
2007-11-09 07:08    71,232  --a------   C:\WINDOWS\SYSTEM32\qedbokok.exe
2007-11-08 14:04    71,232  --a------   C:\WINDOWS\SYSTEM32\rlnbkyrp.exe
2007-11-08 12:41    71,232  --a------   C:\WINDOWS\SYSTEM32\uhbsbgop.exe
2007-11-08 06:57    71,232  --a------   C:\WINDOWS\SYSTEM32\rjyxsfso.exe
2007-11-07 09:03    71,232  --a------   C:\WINDOWS\SYSTEM32\tfcseayy.exe
2007-11-07 07:57    <DIR>    d--------   C:\Program Files\CCleaner
2007-11-06 08:03    87,104  --a------   C:\WINDOWS\SYSTEM32\htjsbixu.dll
2007-10-24 06:53    582,656 ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 17:11    ---------   d-----w C:\Program Files\Google
2007-11-07 13:31    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 18:46    ---------   d-----w C:\Documents and Settings\Faye\Application Data\AdobeUM
2007-09-25 16:36    ---------   d-----w C:\Program Files\MSN Messenger
2007-09-21 12:03    32,832  ----a-w C:\WINDOWS\SYSTEM32\mljgg.dll
2007-09-21 12:03    32,768  ----a-w C:\WINDOWS\SYSTEM32\srmlbzyt.dll
2007-09-21 12:03    3,584   ----a-w C:\WINDOWS\SYSTEM32\mljgg.exe
2007-09-11 11:54    246 ----a-w C:\Program Files\Common Files\qukaf
2007-08-21 06:15    683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15    683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04    824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04    671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04    63,488  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04    6,058,496   ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04    52,224  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04    477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04    459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04    44,544  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04    384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04    383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04    3,584,512   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04    27,648  ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04    267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04    232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04    230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04    214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04    193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04    153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04    132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04    124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04    105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04    102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04    1,152,000   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21    625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20    63,488  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20    13,824  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34    161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2006-09-07 13:56    6,144   --sha-w C:\Program Files\Thumbs.db
2005-12-27 13:44    2,770,856   ----a-w C:\Program Files\setupex.exe
2005-12-27 13:42    131,683 ----a-w C:\Program Files\wwe_sd_vs_raw_06_d.max
2005-12-16 16:37    39,936  ----a-w C:\Program Files\Dec[1]._05.xls
2005-12-14 19:28    8,965,894   ----a-w C:\Program Files\Roddy TD_0001.wmv
2005-12-06 13:18    22,796,394  ----a-w C:\Program Files\x-men_3-pre_teaser_h-1[1].640.wmv
2005-12-02 18:58    419,829 ----a-w C:\Program Files\ciri_miri_cica.pdf
2005-11-28 15:42    429,166 ----a-w C:\Program Files\Cetir'_Konja_Debela.pdf
2005-11-18 18:08    1,323,791   ----a-w C:\Program Files\awesomo.zip
2005-01-13 15:34    2,855,552   ----a-w C:\Program Files\PPView97.exe
2004-12-22 15:21    1,799,680   ----a-w C:\Program Files\Builder Distributor 1-3-2005.xls
2004-09-08 15:51    16,706,160  ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-09-08 15:21    4,342,088   ----a-w C:\Program Files\Acro-Reader_6.0.2_Update.exe
2004-05-13 21:38    19,584  ----a-w C:\Program Files\location.ini
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\RmF5ZQ\lAIctk.vbs
2004-01-21 20:57:00 734,982 --sha-w C:\WINDOWS\SYSTEM32\acbeg.bak1
2004-01-22 21:22:13 690,028 --sha-w C:\WINDOWS\SYSTEM32\ghhkj.bak1
2004-01-15 04:06:47 1,530,515   --sha-w C:\WINDOWS\SYSTEM32\hgjlm.bak1
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-11-21 17:04]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-09-25 12:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-28 07:04]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 13:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 07:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk.disabled [2006-06-20 14:22:42] 
Adobe Gamma Loader.lnk.disabled [2006-01-17 08:30:47] 
Digital Line Detect.lnk.disabled [2004-03-19 07:31:36] 
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
Wireless-B USB Network Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe [2004-06-24 11:15:32]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Program Files\Common Files\rteses.html
FriendlyName= 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= mljgg.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe
"nwiz"=nwiz.exe /installquiet
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
R2 NICSer_WUSB11;NICSer_WUSB11;C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
R3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusb.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\system32\DRIVERS\vnet558x.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-22 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-11-13 20:30:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-11-13 15:19:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-13 15:32:08
C:\ComboFix-quarantined-files.txt ... 2007-09-13 08:40
C:\ComboFix2.txt ... 2007-11-09 09:27
C:\ComboFix3.txt ... 2007-09-13 08:40
.
    --- E O F ---








HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:35 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Faye\Desktop\analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.sirius.com/sirius/servlet/MediaPlayer?stream=&[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: 20-20 Shortcut Bar.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://209.192.44.149/inquiero/mod/setup/ntractivex118_24.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rteses.html

--
End of file - 7445 bytes

Please note ComboFix did NOT ask me to reboot, if that means anything. I'm hoping when I reboot nothing nasty comes back. Right now, it seems like everything is running smoother. This page didn't take forever to load, so that's a very good sign. Also no annoying pop-ups. The true test will be when I reboot the machine I think.

Let me know what to do next please, and thanks for all your help thus far. :)

Edited by mike_2000_17 because: Fixed formatting
Member Avatar for crunchie

Looks ok. Reboot and check it out :).

Member Avatar for jeremy032180

Seems to be running a lot better. This page takes a min to load but it could be because I need to update my Flash/Quicktime/Whatever.

I thank you very much for your help, and I'll follow the links in your sig and on this site to prevent further virus infections.

crunchie you are a saint and I can't thank you enough. :)

Member Avatar for crunchie

No worries at all :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.