Need Help Cleaning My System Really Really Bad!

Punk

Punk

Moderator
Staff member
Sorry for the late reply.

Ok since things have changed please post these new logs:


Step1:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Step2:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.




Final step:

After you've done all that, please post:
  • SDFix log
  • Combofix log
  • A fresh HJT log.
 
Last edited:
M

makaveli3004

New Member
Now the problem is I cant figure out how to get into safe mode. When I press f8 it doesnt have an option for safe mode. The way i used to do it was to go into msconfig and then boot up through there but I cant ger that to run now either I trype it into run and it comes up with the screen... Pick a file to run this.
 
M

makaveli3004

New Member
Ok got it to work


SDFix: Version 1.175
Run by Valued Customer on Sun 05/11/2008 at 04:49 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Config\csrss.exe - Deleted





Removing Temp Files

ADS Check :
 
M

makaveli3004

New Member
Had no problems running combo fix but when searchin web pages it is still very slow




"Valued Customer" - 2008-05-11 20:35:37 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-11 ))))))))))))))))))))))))))))))))))


2008-05-11 14:59 91,712 --a------ C:\WINDOWS\system32\uyumvcdx.dll
2008-05-11 14:59 2,112 --a------ C:\WINDOWS\system32\sfwjqgky.exe
2008-05-11 14:59 101,952 --a------ C:\WINDOWS\system32\carrrntn.dll
2008-05-11 14:58 98,368 --a------ C:\WINDOWS\system32\drnfnhxj.dll
2008-05-11 14:58 1,043,784 --ahs---- C:\WINDOWS\system32\XHkSrtwa.ini2
2008-05-11 14:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\mrelmhsr
2008-05-11 14:53 72,626 --a------ C:\WINDOWS\system32\yzbgqap.sys
2008-05-11 14:49 12,288 --a------ C:\WINDOWS\system32\aplib.dll
2008-05-09 05:15 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Awola6
2008-04-29 00:41 <DIR> d-------- C:\VundoFix Backups
2008-04-27 13:35 <DIR> d-------- C:\Avenger
2008-04-27 12:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-22 19:24 0 --ahs---- C:\DOCUME~1\Mom\APPLIC~1\00480e735bb240c3461019295b35d243c30c3294c4.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-05-12 00:43:29 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\DNA
2008-05-11 19:01:46 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\BitTorrent
2008-04-29 04:51:11 -------- d-----w C:\Program Files\PowerISO
2008-04-15 21:55:43 309,682 --sha-w C:\WINDOWS\system32\mprCdMoq.ini2
2008-04-10 23:08:33 50,176 --s---w C:\WINDOWS\mdm.exe
2008-04-07 21:09:49 -------- d-----w C:\Program Files\iTunes
2008-04-07 21:09:37 -------- d-----w C:\Program Files\iPod
2008-04-07 21:08:48 -------- d-----w C:\Program Files\QuickTime
2008-04-05 17:36:21 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2008-04-02 02:00:55 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\Ahead
2008-03-24 23:15:03 -------- d-----w C:\Program Files\mIRC
2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 18:55:37 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-12 02:19:02 -------- d-----w C:\Program Files\Bonjour
2008-03-12 02:07:53 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-12 02:01:37 486,108,144 ----a-w C:\ADBEPHSPCS3_WWE.exe
2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 16:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-05-11 17:04]
"ec731d21"="C:\WINDOWS\system32\uyumvcdx.dll" [2008-05-11 14:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"BMef402ebd"="C:\WINDOWS\system32\drnfnhxj.dll" [2008-05-11 14:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 19:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 21:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 03:11]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" []
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-07 20:07]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 23:25]
"mdm"="C:\WINDOWS\mdm.exe" [2008-04-10 19:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{AEAC12A0-9342-4D7B-BC25-BB09BA2195CB}"="C:\WINDOWS\mpfanvqg.dll" []
"{71DE5F20-F659-4D48-8469-35CAAE32BB1B}"="C:\WINDOWS\vbksrofa.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrsTNH]
geBrsTNH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\awtrSkHX

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe


Contents of the 'Scheduled Tasks' folder
2008-05-05 15:48:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-05-11 21:05:36 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 20:44:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2008-05-11 20:46:36
C:\ComboFix-quarantined-files.txt ... 2008-05-11 20:46
C:\ComboFix2.txt ... 2008-04-26 12:44
C:\ComboFix3.txt ... 2008-02-22 02:10

--- E O F ---
 
Punk

Punk

Moderator
Staff member
Alright.

Still some files to delete:

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\uyumvcdx.dll
C:\WINDOWS\system32\sfwjqgky.exe
C:\WINDOWS\system32\carrrntn.dll
C:\WINDOWS\system32\drnfnhxj.dll
C:\WINDOWS\system32\XHkSrtwa.ini2
C:\WINDOWS\system32\yzbgqap.sys
C:\WINDOWS\system32\aplib.dll

Folders to delete:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\mrelmhsr
C:\DOCUME~1\Mom\APPLIC~1\Awola6
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.
 
M

makaveli3004

New Member
Thank you things are much better now still a few pop ups but mainly better

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\uyumvcdx.dll" deleted successfully.
File "C:\WINDOWS\system32\sfwjqgky.exe" deleted successfully.
File "C:\WINDOWS\system32\carrrntn.dll" deleted successfully.
File "C:\WINDOWS\system32\drnfnhxj.dll" deleted successfully.
File "C:\WINDOWS\system32\XHkSrtwa.ini2" deleted successfully.
File "C:\WINDOWS\system32\yzbgqap.sys" deleted successfully.
File "C:\WINDOWS\system32\aplib.dll" deleted successfully.
Folder "C:\DOCUME~1\ALLUSE~1\APPLIC~1\mrelmhsr" deleted successfully.
Folder "C:\DOCUME~1\Mom\APPLIC~1\Awola6" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 
M

makaveli3004

New Member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:40 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\mdm.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Tibia\Tibia.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Valued Customer\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe
O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe
O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\uyumvcdx.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMef402ebd] Rundll32.exe "C:\WINDOWS\system32\drnfnhxj.dll",s
O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [mdm] C:\WINDOWS\mdm.exe
O4 - HKUS\S-1-5-21-790525478-963894560-725345543-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mom')
O4 - HKUS\S-1-5-21-790525478-963894560-725345543-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Mom')
O4 - HKUS\S-1-5-21-790525478-963894560-725345543-1006\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Mom')
O4 - HKUS\S-1-5-21-790525478-963894560-725345543-1006\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\Mom\LOCALS~1\Temp\lefpbtid.dll",run (User 'Mom')
O4 - HKUS\S-1-5-21-790525478-963894560-725345543-1006\..\Run: [ec731d21] rundll32.exe "C:\DOCUME~1\Mom\LOCALS~1\Temp\dgbppfhm.dll",b (User 'Mom')
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: geBrsTNH - geBrsTNH.dll (file missing)
O20 - Winlogon Notify: iifeefd - iifeefd.dll (file missing)
O21 - SSODL: mpfanvqg - {AEAC12A0-9342-4D7B-BC25-BB09BA2195CB} - C:\WINDOWS\mpfanvqg.dll (file missing)
O21 - SSODL: vbksrofa - {71DE5F20-F659-4D48-8469-35CAAE32BB1B} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prohdyxe.html
O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\prohdyxe.html

--
End of file - 9833 bytes
 
Punk

Punk

Moderator
Staff member
Sorry for the late reply.
Things must have changed since our last action, let's see what has changed:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
 
ceewi1

ceewi1

VIP Member
Please delete the version of ComboFix you have and download an updated one from http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\mprCdMoq.ini2
C:\Program Files\Internet Explorer\prohdyxe.html
C:\Program Files\ComPlus Applications\prohdyxe.html
C:\WINDOWS\system32\awtrSkHX
C:\DOCUME~1\Mom\LOCALS~1\Temp\lefpbtid.dll
C:\DOCUME~1\Mom\LOCALS~1\Temp\dgbppfhm.dll

Folder::
C:\Documents and Settings\All Users\Application Data\part dead amok eggs
C:\Documents and Settings\All Users\Application Data\beep axis mode free
C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\
C:\Program Files\Web Buying

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"watelkj"=-
"o"=-
"Amok Eggs Four Web"=-
"MODE FREE BIRD SURF"=-
"ec731d21"=-
"BMef402ebd"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"logo link"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"watelkj"=-
"o"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{AEAC12A0-9342-4D7B-BC25-BB09BA2195CB}"=-
"{71DE5F20-F659-4D48-8469-35CAAE32BB1B}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrsTNH]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
Punk

Punk

Moderator
Staff member
Ok Good luck Ceewi1, this user comes here rarely which makes the disinfection really hard...
 
You must log in or register to reply here.
Top