Punk

Sorry for the late reply.

Ok since things have changed please post these new logs:


Step1:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Step2:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file from one of the three below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.forospyware.com/sUBs/ComboFix.exe
  http://subs.geekstogo.com/ComboFix.exe
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.




Final step:

After you've done all that, please post:

• SDFix log
• Combofix log
• A fresh HJT log.

__________________
Punk's anti-hackers website
Punk's Website making and registering tutorial!

Rise And Fall, Rage And Grace

The Offspring!

makaveli3004

Now the problem is I cant figure out how to get into safe mode. When I press f8 it doesnt have an option for safe mode. The way i used to do it was to go into msconfig and then boot up through there but I cant ger that to run now either I trype it into run and it comes up with the screen... Pick a file to run this.

makaveli3004

Ok got it to work


SDFix: Version 1.175
Run by Valued Customer on Sun 05/11/2008 at 04:49 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Config\csrss.exe - Deleted





Removing Temp Files

ADS Check :

Punk

Please post the combofix log and tell me if LOP Remover worked.

Thanks

__________________
Punk's anti-hackers website
Punk's Website making and registering tutorial!

Rise And Fall, Rage And Grace

The Offspring!

makaveli3004

The combo fix item says only 1/100 machines make it through the process kinda nervous to do that.

makaveli3004

the Lop Remover wont let me download it for some reason

makaveli3004

Had no problems running combo fix but when searchin web pages it is still very slow




"Valued Customer" - 2008-05-11 20:35:37 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-11 ))))))))))))))))))))))))))))))))))


2008-05-11 14:59 91,712 --a------ C:\WINDOWS\system32\uyumvcdx.dll
2008-05-11 14:59 2,112 --a------ C:\WINDOWS\system32\sfwjqgky.exe
2008-05-11 14:59 101,952 --a------ C:\WINDOWS\system32\carrrntn.dll
2008-05-11 14:58 98,368 --a------ C:\WINDOWS\system32\drnfnhxj.dll
2008-05-11 14:58 1,043,784 --ahs---- C:\WINDOWS\system32\XHkSrtwa.ini2
2008-05-11 14:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\mrelmhsr
2008-05-11 14:53 72,626 --a------ C:\WINDOWS\system32\yzbgqap.sys
2008-05-11 14:49 12,288 --a------ C:\WINDOWS\system32\aplib.dll
2008-05-09 05:15 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Awola6
2008-04-29 00:41 <DIR> d-------- C:\VundoFix Backups
2008-04-27 13:35 <DIR> d-------- C:\Avenger
2008-04-27 12:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-22 19:24 0 --ahs---- C:\DOCUME~1\Mom\APPLIC~1\00480e735bb240c3461019295 b35d243c30c3294c4.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2008-05-12 00:43:29 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\DNA
2008-05-11 19:01:46 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\BitTorrent
2008-04-29 04:51:11 -------- d-----w C:\Program Files\PowerISO
2008-04-15 21:55:43 309,682 --sha-w C:\WINDOWS\system32\mprCdMoq.ini2
2008-04-10 23:08:33 50,176 --s---w C:\WINDOWS\mdm.exe
2008-04-07 21:09:49 -------- d-----w C:\Program Files\iTunes
2008-04-07 21:09:37 -------- d-----w C:\Program Files\iPod
2008-04-07 21:08:48 -------- d-----w C:\Program Files\QuickTime
2008-04-05 17:36:21 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2008-04-02 02:00:55 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\Ahead
2008-03-24 23:15:03 -------- d-----w C:\Program Files\mIRC
2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 18:55:37 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-12 02:19:02 -------- d-----w C:\Program Files\Bonjour
2008-03-12 02:07:53 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-12 02:01:37 486,108,144 ----a-w C:\ADBEPHSPCS3_WWE.exe
2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 16:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-05-11 17:04]
"ec731d21"="C:\WINDOWS\system32\uyumvcdx.dll" [2008-05-11 14:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"BMef402ebd"="C:\WINDOWS\system32\drnfnhxj.dll " [2008-05-11 14:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 19:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 21:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 03:11]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" []
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-07 20:07]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 23:25]
"mdm"="C:\WINDOWS\mdm.exe" [2008-04-10 19:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"{AEAC12A0-9342-4D7B-BC25-BB09BA2195CB}"="C:\WINDOWS\mpfanvqg.dll" []
"{71DE5F20-F659-4D48-8469-35CAAE32BB1B}"="C:\WINDOWS\vbksrofa.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrsTNH]
geBrsTNH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\awtrSkHX

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe


Contents of the 'Scheduled Tasks' folder
2008-05-05 15:48:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-05-11 21:05:36 C:\WINDOWS\tasks\MP Scheduled Scan.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 20:44:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


************************************************** ******************

Completion time: 2008-05-11 20:46:36
C:\ComboFix-quarantined-files.txt ... 2008-05-11 20:46
C:\ComboFix2.txt ... 2008-04-26 12:44
C:\ComboFix3.txt ... 2008-02-22 02:10

--- E O F ---

Punk

Alright.

Still some files to delete:

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

• Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
• Click Format, and ensure Word Wrap is unchecked.
• Copy and Paste the text in the box below into Notepad.
• Now save the file as RemoveFiles.txt in a location where you can find it.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

• Check Load script from file:
• Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
• Double click it to enter it into Avenger.
• Click the green traffic light symbol.
• You will be asked if you want to execute the script, answer Yes.
• At this point you may get prompts from your protection systems, allow them please.
• Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
• Answer Yes, and allow your computer to re-boot.
• Upon re-boot a command window will briefly appear on screen (this is normal).
• A Notepad text file will be created C:\avenger.txt.
• Copy and Paste it into your next post please.

__________________
Punk's anti-hackers website
Punk's Website making and registering tutorial!

Rise And Fall, Rage And Grace

The Offspring!

makaveli3004

Thank you things are much better now still a few pop ups but mainly better

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\uyumvcdx.dll" deleted successfully.
File "C:\WINDOWS\system32\sfwjqgky.exe" deleted successfully.
File "C:\WINDOWS\system32\carrrntn.dll" deleted successfully.
File "C:\WINDOWS\system32\drnfnhxj.dll" deleted successfully.
File "C:\WINDOWS\system32\XHkSrtwa.ini2" deleted successfully.
File "C:\WINDOWS\system32\yzbgqap.sys" deleted successfully.
File "C:\WINDOWS\system32\aplib.dll" deleted successfully.
Folder "C:\DOCUME~1\ALLUSE~1\APPLIC~1\mrelmhsr" deleted successfully.
Folder "C:\DOCUME~1\Mom\APPLIC~1\Awola6" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Punk

What kind of popups are you getting?

__________________
Punk's anti-hackers website
Punk's Website making and registering tutorial!

Rise And Fall, Rage And Grace

The Offspring!