[Resolved] RSIT Error and Random I/E pop-ups

helpme2008 · 16th November 2008

Hi,

My dad's computer has become super slow. After bootup, minutes later, he has random IE windows pop up. You can close them, but, they come back. Eventualy, it'll freeze the computer. I dunno what he installed, but it's taking a lot of memory. I've taken it off the network. I've downloaded RSIT and Hijackthis on my laptop and copied it over.

RSIT can never finish -- I get to the "Listing recently created files/folders" progress bar and then an "AutoIt Error" - Line -1 Error: subscript used with non-Array variable." message comes up.

When I click "OK", RSIT shuts down.

I've run Hijackthis alone and the log is below. Any help appreciated. Thanks much!!!

P.S. I've run Adaware and Spybot and they've found items, but they never resolve them. The toolbars that Verizon/Google, etc. can go. I dunno how he installed them, but those can go.

Please HELP.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ÏÂÎç 12:41:36, on 2008/11/16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rtmbufdx.exe
C:\WINDOWS\RavNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: MapQuest Toolbar Search Class - {2731C719-B8C5-4282-993D-B5AD0E77531D} - C:\Program Files\MapQuest Toolbar\mqtb.dll
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! ½{¬Žãð - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01 .src"); (C:\Documents and Settings\DSC\Application Data\Mozilla\Profiles\default\bo4a3ldz.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: QylIEHlpr Class - {922C93CD-8B92-485a-8B40-F9DB7E0984A5} - C:\WINDOWS\system32\qylhelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - C:\Program Files\FlashGet Network\FlashGet Mini\libMiniBHO.dll
O2 - BHO: MapQuest Toolbar Loader - {E34F0E11-AB79-487c-9773-36C594DFF5AA} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MapQuest Toolbar - {57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O3 - Toolbar: (no name) - {0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35} - (no file)
O3 - Toolbar: Yahoo! ½{¬Žãð - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gmail] c:\toskngr.exe
O4 - HKLM\..\Run: [MINIFLASHGET] "C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetMini.exe" /minimize
O4 - HKLM\..\Run: [vmdetdhc.exe] C:\WINDOWS\system32\vmdetdhc.exe
O4 - HKLM\..\Run: [RavMonS] C:\WINDOWS\soni.exe
O4 - HKLM\..\Run: [360] C:\WINDOWS\360safe.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MINIFLASHGET] "C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetMini.exe" /minimize
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O4 - HKLM\..\Policies\Explorer\Run: [nmzy_df] C:\WINDOWS\system\zyndle081012.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &MapQuest Toolbar Search - C:\Documents and Settings\All Users\Application Data\MapQuest Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ê¹ÓÃÃÔÄã¿ì³µÏÂÔØ - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm
O8 - Extra context menu item: Ê¹ÓÃÃÔÄã¿ì³µÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
O8 - Extra context menu item: Ê¹ÓÃÃÔÄã¿ì³µÏÂÔØ¸ÃÍøÒ³FLV - C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
O8 - Extra context menu item: Ò×È¤¹ºÎï - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O11 - Options group: [!IESearch] !IESearch
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - http://www.searchfore.com/Vacation_Package/vptb.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O18 - Protocol: qyl - {C79BF22F-25C4-4D3D-8183-14149EAB9C0C} - C:\WINDOWS\system32\qylprotocol.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SNS PSP Media Buffer for Window (rtpPStream) - Unknown owner - C:\WINDOWS\system32\rtmbufdx.exe

--
End of file - 9112 bytes

**Geri** · 16th November 2008

Hi helpme2008
Welcome to WindowsBBS.

OK your dad has quite the mess going here.

Please do not download, or run anything unless asked to do so. and answer all my questions.
Thanks!

Please do this in the Order give.

The first thing is I don't see an Anti Virus program running, This is a must have.

One of your first defenses against infections and hackers is an Anti-virus.
These are a Must Have to help keep you protected in today’s Internet world.
Here are some good ones and the best part, they are Free!

Please Download only 1 AV.

Anti-Virus
AVGFree
Avast

Download, Update and scan your computer with the AV. Quarantine/Delete anything it finds.
Check for updates at the least once a week and do regular scans. Most AV’s can be scheduled to scan at a given time, this is also recommended.

Now run this.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select 'Perform Quick Scan', then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Post the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Then this.

Delete the RSIT.exe you have.

Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool.
At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.
If prompted by your firewall to allow RSIT to access the internet, please allow it. It will be updating yourr version of HijackThis.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Please post the contents of both logs here in your next reply.

Please post the MBAM log and the RSIT logs.

What ISP is your dad using?

Thanks
Geri

helpme2008 · 17th November 2008

Geri,

Thanks for the reply. I really appreciate. When did the roles reverse? When did the child become the parent and the parent the child?

I'll tried to follow your steps.

1) Downloaded AVG - Ran scan, which is found some stuff. The PC is not connected to the network yet, so I didn't not get the latest update. But, the build was 10/1.

2) Malwarebytes' -- did run. The log is below. It had a couple of trojans it wanted removed during boot. I believe I ran Malwarebytes before, but it never removes these buggers. I still get these warnings when I boot:

a) RUNDLL - Error Loading c:\windows\system32\rltRM1.dll
The specific module could not be found.

b) - Windows cannot find 'C:\windows\system\rundll32.exe\. Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click Search.

c) Could not load 'C:\windows\system\rundll32.exe' specified in registry. Make sure the file exists on your computer or remove the reference to it in the registry.

d) AIRPluscfg.exe - Unable to locate component. This application has failed to start because 'wlanapi.dll' was not found. Re-installing the application may fix this problem. <-- I tried to put a wireless USB card on it, to get to the network, but was unsuccessful. So, this is no trojan related. But, it is annoying.

e) I get this "Web page unavailable" and it's trying to goto "http://dxcpm.com/sogou.htm" -- I try not to connect to the web because of this.

3) Lastly, I tried to d/l RSIT again, and continue to get the "AutoIt" error, I posted earlier. I just ran HijackThis again. The log is also below.

I wish I could be more help.

malware log:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

2008/11/16 ÏÂÎç 09:03:32
mbam-log-2008-11-16 (21-03-32).txt

Scan type: Quick Scan
Objects scanned: 52141
Time elapsed: 1 hour(s), 31 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system\zyndld32081012jt.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f9ba1aa9-cad4-4c14-bde6-922dff5f6f38} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vmdetdhc.e xe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0a1230f1-eb52-4ca3-9d34-de2abc2eed35} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{ee60714f-ac17-427e-861a-fd60cbdf119a} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vmdetdhc.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system\zyndld32081012.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system\zyndld32081012jt.dll (Trojan.Agent) -> Delete on reboot.

helpme2008 · 17th November 2008

Geri,

This is my Hijackthis log. Sorry, I could not get RSIT to work.

Look forward your response!

Helpless in VA.

-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ÏÂÎç 09:18:11, on 2008/11/16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rtmbufdx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\qqshel.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\toskngr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetMini.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: MapQuest Toolbar Search Class - {2731C719-B8C5-4282-993D-B5AD0E77531D} - C:\Program Files\MapQuest Toolbar\mqtb.dll
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! ½{¬Žãð - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01 .src"); (C:\Documents and Settings\DSC\Application Data\Mozilla\Profiles\default\bo4a3ldz.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: QylIEHlpr Class - {922C93CD-8B92-485a-8B40-F9DB7E0984A5} - C:\WINDOWS\system32\qylhelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MiniFlashGetBHO - {C74E94A7-B7BD-4891-9328-455395BCC7AD} - C:\Program Files\FlashGet Network\FlashGet Mini\libMiniBHO.dll
O2 - BHO: MapQuest Toolbar Loader - {E34F0E11-AB79-487c-9773-36C594DFF5AA} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MapQuest Toolbar - {57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O3 - Toolbar: Yahoo! ½{¬Žãð - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gmail] c:\toskngr.exe
O4 - HKLM\..\Run: [MINIFLASHGET] "C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetMini.exe" /minimize
O4 - HKLM\..\Run: [RavMonS] C:\WINDOWS\soni.exe
O4 - HKLM\..\Run: [360] C:\WINDOWS\360safe.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MINIFLASHGET] "C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetMini.exe" /minimize
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O4 - HKLM\..\Policies\Explorer\Run: [nmzy_df] C:\WINDOWS\system\zyndle081012.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &MapQuest Toolbar Search - C:\Documents and Settings\All Users\Application Data\MapQuest Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ê¹ÓÃÃÔÄã¿ì³µÏÂÔØ - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm
O8 - Extra context menu item: Ê¹ÓÃÃÔÄã¿ì³µÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
O8 - Extra context menu item: Ê¹ÓÃÃÔÄã¿ì³µÏÂÔØ¸ÃÍøÒ³FLV - C:\Program Files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
O8 - Extra context menu item: Ò×È¤¹ºÎï - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O11 - Options group: [!IESearch] !IESearch
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - http://www.searchfore.com/Vacation_Package/vptb.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qyl - {C79BF22F-25C4-4D3D-8183-14149EAB9C0C} - C:\WINDOWS\system32\qylprotocol.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SNS PSP Media Buffer for Window (rtpPStream) - Unknown owner - C:\WINDOWS\system32\rtmbufdx.exe

--
End of file - 10175 bytes

helpme2008 · 17th November 2008

Geri,

Forgot to answer you last question. My dad recently switched from Comcast to Verizon. That's our ISP.

**Geri** · 17th November 2008

Hi
OK, so you want the Verizon tool bar removed?

Did you reboot after running MBAM?

helpme2008 · 17th November 2008

Geri,

I'm not a fan of any toolbars -- Google,Verizon, any third party toolbars -- so, if I could remove it.. that'll be great.. but, that's the least of my worries. =)

MBAM asked for a reboot and I did. Those popups still showed up -- even after the reboot.

**Geri** · 17th November 2008

Hi
OK please do the following.

Please go to Start > Control Panel > Add/Remove Programs (Windows Vista it’s Programs and Features) and remove the following (if present):

MapQuest Toolbar
Yahoo! Toolbar Helper <<Anything to do with Yahoo if he doesn't use it.
Verizon Broadband Toolbar
Google Toolbar Helper

Please note any other programs that you dont recognize in that list and post them in your next response

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: MapQuest Toolbar Search Class - {2731C719-B8C5-4282-993D-B5AD0E77531D} - C:\Program Files\MapQuest Toolbar\mqtb.dll
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! ½{¬Žãð - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - (no file)
O2 - BHO: QylIEHlpr Class - {922C93CD-8B92-485a-8B40-F9DB7E0984A5} - C:\WINDOWS\system32\qylhelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MapQuest Toolbar Loader - {E34F0E11-AB79-487c-9773-36C594DFF5AA} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0EA-EF7AF4D5FA7D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MapQuest Toolbar - {57ABF0DD-577C-4ec6-855C-8DC29768C2B0} - C:\Program Files\MapQuest Toolbar\mqtb.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
O3 - Toolbar: Yahoo! ½{¬Žãð - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\MapQuest Toolbar
C:\Program Files\NZSearch
C:\Program Files\Yahoo!
C:\PROGRAM FILES\VOL_TO~1 << The folder that starts with these 6 letters VOL_TO
c:\program files\google

After that, Reboot.

Take note of any error messages you receive after reboot.

Now do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Combofix log and a new HJT log.

Thanks
Geri

helpme2008 · 17th November 2008

Geri,

Thanks for your prompt reply. I feel like we're making a lot of headway.

During bootup, I still get:

RUNDLL - Error Loading c:\windows\system32\rltRM1.dll
The specific module could not be found. (This showed up when ComboFix Find 3M was running during the bootup phase too)

This happens before I even see any icons or start taskbar rendered, but after the "Welcome" screen. It's super early. I click close.

I tried to remove "ANIO Service" under my program and believe it's part of the Trojan. It would not remove it and an IE webpage showed up when I did.

Also, there's a ".bad" directory which I can not delete.

I tried to remove the "Verizon toolbar", but get a dll missing.

It takes forever for the icons to render. I get the generic ones, if at all, and then, 20-30 seconds later I get the normal ones.

Sorry, the combo log had a mix of chinese writing which I did not understand. It appears to adjust to the native language on the computer. Interesting. :

ComboFix 08-11-16.04 - DSC 2008-11-17 0:11:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.351 [GMT -5:00]
Ö´ÐÐÎ»ÖÃ: c:\documents and settings\DSC\Desktop\ComboFix.exe
* ³É¹¦´´ÔìÐÂ»¹Ô*µã

×¢Òâ - ÕâÌ¨µçÄÔÃ»ÓÐ°²×°»Ö¸´¿ØÖÆÌ¨ £¡£¡
.

((((((((((((((((((((((((((((((((((((((( ±»É¾³ýµÄµµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Media Player\obj\wmpobj.sys
c:\documents and settings\All Users\Application Data\microsoft\office\system
c:\documents and settings\All Users\Application Data\microsoft\office\userdata
c:\documents and settings\All Users\Application Data\microsoft\office\userdata\_keepfile
c:\documents and settings\All Users\zyndf16.ini
c:\documents and settings\All Users\zyndf32.ini
c:\documents and settings\DSC\Application Data\BITS
c:\documents and settings\DSC\Application Data\BITS\BITS.ini
c:\documents and settings\DSC\Application Data\BITS\DHTTable.dat
c:\documents and settings\DSC\Application Data\BITS\ProxyList.ini
c:\documents and settings\DSC\Application Data\BITS\UPnP.ini
c:\documents and settings\DSC\Favorites\ÕÒµ½123ÍøÖ·µ¼º½.url
c:\documents and settings\DSC\Local Settings\Temporary Internet Files\_inifiletime3
c:\documents and settings\DSC\Local Settings\Temporary Internet Files\_inimac
c:\documents and settings\DSC\Local Settings\Temporary Internet Files\_loaderfiletime2
c:\documents and settings\NetworkService\Favorites\ÕÒµ½123ÍøÖ·µ¼º½.url
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\__fdkfjfjgjitijk
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_inifid
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_inifiletime3
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_inimac
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\1002
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3003
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3004
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3018
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3019
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3024
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3033
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3043
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3044
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3052
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3082
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_KC\3097
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_kdacoptfg
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\_web_download_3
c:\program files\ad4all
c:\program files\ad4all\Install.exe
c:\program files\ad4all\install.ini
c:\program files\ad4all\link1\eachlink.ico
c:\program files\ad4all\link1\ebaylink.htm
c:\program files\ad4all\link1\ebaylink.ico
c:\program files\ad4all\link1\install.ini
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet Mini\dat\FlashGetMini.xml
c:\program files\FlashGet Network\FlashGet Mini\dat\FlvDetector.ini
c:\program files\FlashGet Network\FlashGet Mini\dat\taskdb.xml
c:\program files\FlashGet Network\FlashGet Mini\FlashGetExt.dll
c:\program files\FlashGet Network\FlashGet Mini\FlashGetFlvdetector.htm
c:\program files\FlashGet Network\FlashGet Mini\GetAllUrl.htm
c:\program files\FlashGet Network\FlashGet Mini\GetUrl.htm
c:\program files\FlashGet Network\FlashGet Mini\pup.dat
C:\text.txt
c:\windows\c2cbb6650c.dll
c:\windows\dt1.dat
c:\windows\ias.dll
c:\windows\icpb.dll
c:\windows\Kler
c:\windows\mspcexp.dll
c:\windows\MsWino.dat
c:\windows\qqshel.exe
c:\windows\sebs
c:\windows\sv.dat
c:\windows\sv.ini
c:\windows\system\zyndld32081012.dll
c:\windows\system\zyndld32081012jt.dll
c:\windows\system\zyndle081012.exe
c:\windows\system32\3733ec7a00.dll
c:\windows\system32\604073640c.dll
c:\windows\system32\admshare.dat
c:\windows\system32\cfl_Info.nt
c:\windows\system32\config\systemprofile\Favorites\Ò»ÆðÀ´ÒôÀÖÉçÇø.url
c:\windows\system32\config\systemprofile\Favorites\ÕÒµ½123ÍøÖ·µ¼º½.url
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\inf\svchoct.exe
c:\windows\system32\kmd.exe
c:\windows\system32\mywfhit.ini
c:\windows\system32\mywfhit.ini.tmp
c:\windows\system32\open.ico
c:\windows\system32\rtmbufdx.exe
c:\windows\system32\sslsocket.dll
c:\windows\system32\tebiurecs.ve
c:\windows\system32\tmpzydf0.exe
c:\windows\system32\tmpzydf1.exe
c:\windows\system32\tmpzydf3.exe
c:\windows\system32\tmpzydf4.exe
c:\windows\system32\vwndvtb60.dat
c:\windows\system32\vwndvtb60.dat.new
c:\windows\system32\xxxz23.ini
c:\windows\tawisys.ini
c:\windows\UP
c:\windows\vapa.ini
c:\windows\vv.dat

.
((((((((((((((((((((((((((((((((((((((( Çý¶¯/·þÎñ )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_NETWORK_SERVICES
-------\Legacy_RTPPSTREAM
-------\Legacy_WBWIN
-------\Legacy_WMPOBJ
-------\Service_Ias
-------\Service_IPRIP
-------\Service_rtpPStream
-------\Service_wmpobj

((((((((((((((((((((((((( 2008-10-17 ÖÁ 2008-11-17 µÄÐÂµÄµµ°¸ )))))))))))))))))))))))))))))))
.

2008-11-16 19:26 . 2008-11-16 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 19:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 19:26 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 17:38 . 2008-11-16 23:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-16 17:35 . 2008-11-16 17:35 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-16 17:35 . 2008-11-16 17:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\program files\AVG
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-16 17:34 . 2008-11-16 17:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-16 12:40 . 2008-11-16 12:40 <DIR> d-------- C:\rsit
2008-11-16 01:18 . 2005-03-15 20:11 283,904 -ra------ c:\windows\system32\drivers\A5AGU.sys
2008-11-16 01:18 . 2005-03-15 20:11 143,688 -ra------ c:\windows\system32\drivers\ar5523.bin
2008-11-16 01:18 . 2005-03-15 20:11 43,392 -ra------ c:\windows\system32\drivers\Athfmwdl.sys
2008-11-16 01:00 . 2008-11-16 01:00 <DIR> d-------- c:\program files\ANI
2008-11-16 01:00 . 2004-07-27 11:20 36,864 --a------ c:\windows\system32\ANIOApi.dll
2008-11-16 01:00 . 2004-07-27 11:20 28,205 --a------ c:\windows\system32\ANIO.sys
2008-11-16 01:00 . 2004-07-27 11:20 16,997 --a------ c:\windows\system32\ANIO.VXD
2008-11-16 01:00 . 2004-07-27 11:20 11,904 --a------ c:\windows\system32\anio4.sys
2008-11-16 00:56 . 2008-11-16 00:56 <DIR> d-------- c:\program files\D-Link

.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸öÔÂÄÚ±»ÐÞ¸ÄµÄµµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\MapQuest Toolbar
2008-11-16 15:11 --------- d-----w c:\program files\ewido anti-malware
2008-11-16 07:31 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 07:16 --------- d-----w c:\program files\Common Files\Real
2008-11-16 06:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-12 01:00 --------- d-----w c:\documents and settings\DSC\Application Data\Malwarebytes
2008-10-12 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-12 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-11 22:06 --------- d-----w c:\program files\Panda Security
2008-10-03 20:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\VOL_TOOLBAR
2008-09-29 17:21 28,672 --sh--r C:\toskngr.exe
2008-09-22 02:31 --------- d-----w c:\program files\Sun
2008-09-22 02:30 --------- d-----w c:\program files\Java
2008-09-21 23:46 --------- d-----w c:\program files\Lavasoft
2008-09-21 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-19 19:36 --------- d-----w c:\program files\PPLive
2008-09-19 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\PPLive
2005-12-20 03:51 184,808 -c--a-w c:\documents and settings\DSC\Application Data\shb.dat
.

((((((((((((((((((((((((((((((((((((( ÖØÒªµÇÈëµã ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇÂ¼½«²»»á±»ÏÔÊ¾
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"gmail"="c:\toskngr.exe" [2008-09-29 28672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-16 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a--c--- 2004-06-07 11:07 1097728 c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2000-07-13 15:00 28739 c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a--c--- 2004-05-21 09:41 148992 c:\progra~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 mtudh;mtudh;c:\windows\system32\drivers\mtudh.sys [2004-01-01 23392]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-11 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-16 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-16 76040]
R2 osetgd;osetgd;\??\c:\windows\system32\drivers\osetgd.sys [2008-09-26 23024]
S0 kpqmw;kpqmw;c:\windows\system32\drivers\kpqmw.sys []
S2 mscrtu;mscrtu;\??\c:\windows\system32\drivers\mscrtu.sys []
S2 msfkcy;msfkcy;\??\c:\windows\system32\drivers\msfkcy.sys []
S2 mslbpr;mslbpr;\??\c:\windows\system32\drivers\mslbpr.sys []
S2 msnhoi;msnhoi;\??\c:\windows\system32\drivers\msnhoi.sys []
S2 msuwrl;msuwrl;\??\c:\windows\system32\drivers\msuwrl.sys []
S2 mswhia;mswhia;\??\c:\windows\system32\drivers\mswhia.sys []
S2 msxulk;msxulk;\??\c:\windows\system32\drivers\msxulk.sys []
S2 msyzut;msyzut;\??\c:\windows\system32\drivers\msyzut.sys []
S2 nsbopx;nsbopx;\??\c:\windows\system32\drivers\nsbopx.sys []
S2 nseoew;nseoew;\??\c:\windows\system32\drivers\nseoew.sys []
S2 nshpme;nshpme;\??\c:\windows\system32\drivers\nshpme.sys []
S2 nsjngk;nsjngk;\??\c:\windows\system32\drivers\nsjngk.sys []
S2 nsnvnr;nsnvnr;\??\c:\windows\system32\drivers\nsnvnr.sys []
S2 nspkxi;nspkxi;\??\c:\windows\system32\drivers\nspkxi.sys []
S2 nsqafs;nsqafs;\??\c:\windows\system32\drivers\nsqafs.sys []
S2 nsumkl;nsumkl;\??\c:\windows\system32\drivers\nsumkl.sys []
S2 nszset;nszset;\??\c:\windows\system32\drivers\nszset.sys []
S2 osduiq;osduiq;\??\c:\windows\system32\drivers\osduiq.sys []
S2 osfpec;osfpec;\??\c:\windows\system32\drivers\osfpec.sys []
S2 osjygb;osjygb;\??\c:\windows\system32\drivers\osjygb.sys []
S2 osmopb;osmopb;\??\c:\windows\system32\drivers\osmopb.sys []
S2 osqszm;osqszm;\??\c:\windows\system32\drivers\osqszm.sys []
S2 osrhpa;osrhpa;\??\c:\windows\system32\drivers\osrhpa.sys []
S2 osyjmi;osyjmi;\??\c:\windows\system32\drivers\osyjmi.sys []
S2 XaWin;XaWin;c:\windows\System32\svchost.exe -k netsvcs [2002-08-01 14336]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2008-11-16 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2008-11-16 43392]
S4 hpt3xx;hpt3xx; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
XaWin
.
¡®¼Æ»®ÈÎÎñ¡¯ ÎÄ¼þ¼Ð ÀïµÄÄÚÈÝ

2008-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RavMonS - c:\windows\soni.exe
HKLM-Run-360 - c:\windows\360safe.exe
HKLM-Explorer_Run-user - c:\windows\Driver..\daemon.exe
HKLM-Explorer_Run-nmzy_df - c:\windows\system\zyndle081012.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-spc_w - c:\program files\NZSearch\nzspc.exe
MSConfigStartUp-Device Detector - DevDetect.exe

.
------- ¶øÍâµÄÉ¨Ãè -------
.
FireFox -: Profile - c:\documents and settings\DSC\Application Data\Mozilla\Firefox\Profiles\vcdirdb6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://trading.scottrade.com/Default.aspx?lang=tw|http://www.google.com/firefox?client...en-US:official
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 00:19:24
Windows 5.1.2600 Service Pack 2 NTFS

É¨Ãè±»Òþ²ØµÄ½ø³Ì¡£¡£¡£ ...

É¨Ãè±»Òþ²ØµÄÆô¶¯×é¡£¡£¡£

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
user = c:\windows\Driver..\daemon.exe????????????????????????????????????????????? ???????????????

É¨Ãè±»Òþ²ØµÄÎÄ¼þ¡£¡£¡£

É¨ÃèÍê³É
±»Òþ²ØµÄµµ°¸: 0

**************************************************************************
.
------------------------ ÆäËûÔËÐÐ½ø³Ì ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\conime.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Íê³ÉÊ±¼ä: 2008-11-17 0:27:19 - µçÄÔÒÑÖØÐÂÆô¶¯ [DSC]
ComboFix-quarantined-files.txt 2008-11-17 05:26:51

Pre-Run: 20,560,261,120 bytes free
Post-Run: 20,464,476,160 bytes free

298 --- E O F --- 2008-11-17 05:00:59

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:23, on 2008-11-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\toskngr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01 .src"); (C:\Documents and Settings\DSC\Application Data\Mozilla\Profiles\default\bo4a3ldz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [gmail] c:\toskngr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ò×È¤¹ºÎï - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O11 - Options group: [!IESearch] !IESearch
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qyl - {C79BF22F-25C4-4D3D-8183-14149EAB9C0C} - C:\WINDOWS\system32\qylprotocol.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6256 bytes

helpme2008 · 17th November 2008

Hey, I noticed this... and not sure why it's loaded at root.. and I know my dad does not use gmail.

Is this bad?

"gmail"="c:\toskngr.exe" [2008-09-29 28672]

**Geri** · 18th November 2008

Hi
OK look for gmail in his add and remove list and delete it if present and delete this file.
c:\toskngr.exe

You posted the second run from Combofix,
ComboFix 08-11-16.04 - DSC 2008-11-17 0:11:28.2
I would like to see the log from the first run.

Please open C:\qoobox and post the log from ComboFix2.txt

ANIO Service Seems to be related to D Link Wireless cards.

Thanks

helpme2008 · 18th November 2008

I went to the Add/Remove Programs list and there's no reference to GMAIL. And when I goto C:\ drive. There's no file there either. I went into options to show hidden files - I see other hiddens like MSDOS.SYS and IO.SYS, but not our file.

I went into the c:\Qoobox directory and there's only ComboFix-quarantined-files.txt.

I have a ComboFix.txt under C:\ -- which I uploaded.

But, no ComboFix2.txt . I even searched for "ComboFix" and it found those 2 files.

helpme2008 · 18th November 2008

I just removed the "O4 - HKLM\..\Run: [gmail] c:\toskngr.exe" via HJT. The RUNDLL error popup is still there. Nothing has changed.

**Geri** · 18th November 2008

Hi
Ok please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
c:\toskngr.exe"
c:\windows\system32\rltRM1.dll
c:\windows\system32\drivers\osetgd.sys 
c:\windows\system32\drivers\kpqmw.sys 
c:\windows\system32\drivers\mscrtu.sys
c:\windows\system32\drivers\msfkcy.sys
c:\windows\system32\drivers\mslbpr.sys 
c:\windows\system32\drivers\msnhoi.sys
c:\windows\system32\drivers\msuwrl.sys
c:\windows\system32\drivers\mswhia.sys 
c:\windows\system32\drivers\msxulk.sys
c:\windows\system32\drivers\msyzut.sys 
c:\windows\system32\drivers\nsbopx.sys
c:\windows\system32\drivers\nseoew.sys 
c:\windows\system32\drivers\nshpme.sys
c:\windows\system32\drivers\nsjngk.sys
c:\windows\system32\drivers\nsnvnr.sys
c:\windows\system32\drivers\nspkxi.sys 
c:\windows\system32\drivers\nsqafs.sys 
c:\windows\system32\drivers\nsumkl.sys
c:\windows\system32\drivers\nszset.sys 
c:\windows\system32\drivers\osduiq.sys 
c:\windows\system32\drivers\osfpec.sys 
c:\windows\system32\drivers\osjygb.sys 
c:\windows\system32\drivers\osmopb.sys
c:\windows\system32\drivers\osqszm.sys
c:\windows\system32\drivers\osrhpa.sys 
c:\windows\system32\drivers\osyjmi.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmail"=-

Driver::
osetgd
kpqmw
mscrtu
msfkcy
mslbpr
msnhoi
msuwrl
mswhia
msxulk
msyzut
nsbopx
nseoew
nshpme
nsjngk
nsnvnr
nspkxi
nsqafs
nsumkl
nszset
osduiq
osfpec
osjygb
osmopb
osqszm
osrhpa
osyjmi

Please post the Combofix log.

Thanks
Geri

helpme2008 · 18th November 2008

Geri,

Thanks for your prompt replies. I've been looking forward to your responses all day. I did run ComboFix with the script above. The first time the window didn't invoke, I had to turn off AVG. I think that might have happened the first time too. Ergo, the extra ComboFix run.

I walked away while ComboFix was running, I believe it rebooted. I'm trying to shutdown, is it supposed to take 10 minutes to shut the desktop?

The latest results are:

ComboFix 08-11-16.04 - DSC 2008-11-18 0:19:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.1.1033.18.341 [GMT -5:00]
Ö´ÐÐÎ»ÖÃ: c:\documents and settings\DSC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DSC\Desktop\CFScript.txt
* ³É¹¦´´ÔìÐÂ»¹Ô*µã

×¢Òâ - ÕâÌ¨µçÄÔÃ»ÓÐ°²×°»Ö¸´¿ØÖÆÌ¨ £¡£¡

FILE ::
c:\toskngr.exe"
c:\windows\system32\drivers\kpqmw.sys
c:\windows\system32\drivers\mscrtu.sys
c:\windows\system32\drivers\msfkcy.sys
c:\windows\system32\drivers\mslbpr.sys
c:\windows\system32\drivers\msnhoi.sys
c:\windows\system32\drivers\msuwrl.sys
c:\windows\system32\drivers\mswhia.sys
c:\windows\system32\drivers\msxulk.sys
c:\windows\system32\drivers\msyzut.sys
c:\windows\system32\drivers\nsbopx.sys
c:\windows\system32\drivers\nseoew.sys
c:\windows\system32\drivers\nshpme.sys
c:\windows\system32\drivers\nsjngk.sys
c:\windows\system32\drivers\nsnvnr.sys
c:\windows\system32\drivers\nspkxi.sys
c:\windows\system32\drivers\nsqafs.sys
c:\windows\system32\drivers\nsumkl.sys
c:\windows\system32\drivers\nszset.sys
c:\windows\system32\drivers\osduiq.sys
c:\windows\system32\drivers\osetgd.sys
c:\windows\system32\drivers\osfpec.sys
c:\windows\system32\drivers\osjygb.sys
c:\windows\system32\drivers\osmopb.sys
c:\windows\system32\drivers\osqszm.sys
c:\windows\system32\drivers\osrhpa.sys
c:\windows\system32\drivers\osyjmi.sys
c:\windows\system32\rltRM1.dll
.

((((((((((((((((((((((((((((((((((((((( ±»É¾³ýµÄµµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\text.txt
c:\toskngr.exe
c:\windows\system32\drivers\osetgd.sys

.
((((((((((((((((((((((((( 2008-10-18 ÖÁ 2008-11-18 µÄÐÂµÄµµ°¸ )))))))))))))))))))))))))))))))
.

2008-11-17 01:47 . 2008-11-17 01:47 <DIR> d-------- c:\temp\dial
2008-11-16 19:26 . 2008-11-16 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 19:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 19:26 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 17:38 . 2008-11-17 23:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-16 17:35 . 2008-11-16 17:35 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-16 17:35 . 2008-11-16 17:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\program files\AVG
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-16 17:34 . 2008-11-16 17:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-16 12:40 . 2008-11-16 12:40 <DIR> d-------- C:\rsit
2008-11-16 01:18 . 2005-03-15 20:11 283,904 -ra------ c:\windows\system32\drivers\A5AGU.sys
2008-11-16 01:18 . 2005-03-15 20:11 143,688 -ra------ c:\windows\system32\drivers\ar5523.bin
2008-11-16 01:18 . 2005-03-15 20:11 43,392 -ra------ c:\windows\system32\drivers\Athfmwdl.sys
2008-11-16 01:00 . 2008-11-16 01:00 <DIR> d-------- c:\program files\ANI
2008-11-16 01:00 . 2004-07-27 11:20 36,864 --a------ c:\windows\system32\ANIOApi.dll
2008-11-16 01:00 . 2004-07-27 11:20 28,205 --a------ c:\windows\system32\ANIO.sys
2008-11-16 01:00 . 2004-07-27 11:20 16,997 --a------ c:\windows\system32\ANIO.VXD
2008-11-16 01:00 . 2004-07-27 11:20 11,904 --a------ c:\windows\system32\anio4.sys
2008-11-16 00:56 . 2008-11-16 00:56 <DIR> d-------- c:\program files\D-Link

.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸öÔÂÄÚ±»ÐÞ¸ÄµÄµµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 02:41 --------- d-----w c:\program files\NetZero
2008-11-17 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\MapQuest Toolbar
2008-11-16 15:11 --------- d-----w c:\program files\ewido anti-malware
2008-11-16 07:31 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 07:16 --------- d-----w c:\program files\Common Files\Real
2008-11-16 06:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-12 01:00 --------- d-----w c:\documents and settings\DSC\Application Data\Malwarebytes
2008-10-12 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-12 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-11 22:06 --------- d-----w c:\program files\Panda Security
2008-10-03 20:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\VOL_TOOLBAR
2008-09-29 17:24 272,116 ----a-w c:\windows\system32\test3.exe
2008-09-29 17:22 8,447 ----a-w c:\windows\system32\test2.exe
2008-09-29 17:22 16,384 ----a-w c:\windows\system32\test1.exe
2008-09-22 02:31 --------- d-----w c:\program files\Sun
2008-09-22 02:30 --------- d-----w c:\program files\Java
2008-09-21 23:46 --------- d-----w c:\program files\Lavasoft
2008-09-21 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-19 19:36 --------- d-----w c:\program files\PPLive
2008-09-19 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\PPLive
2005-12-20 03:51 184,808 -c--a-w c:\documents and settings\DSC\Application Data\shb.dat
.

((((((((((((((((((((((((((((((((((((( ÖØÒªµÇÈëµã ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇÂ¼½«²»»á±»ÏÔÊ¾
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-16 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a--c--- 2004-06-07 11:07 1097728 c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2000-07-13 15:00 28739 c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a--c--- 2004-05-21 09:41 148992 c:\progra~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 mtudh;mtudh;c:\windows\system32\drivers\mtudh.sys [2004-01-01 23392]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-11 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-16 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-16 76040]
S0 kpqmw;kpqmw;c:\windows\system32\drivers\kpqmw.sys []
S2 mscrtu;mscrtu;\??\c:\windows\system32\drivers\mscrtu.sys []
S2 msfkcy;msfkcy;\??\c:\windows\system32\drivers\msfkcy.sys []
S2 mslbpr;mslbpr;\??\c:\windows\system32\drivers\mslbpr.sys []
S2 msnhoi;msnhoi;\??\c:\windows\system32\drivers\msnhoi.sys []
S2 msuwrl;msuwrl;\??\c:\windows\system32\drivers\msuwrl.sys []
S2 mswhia;mswhia;\??\c:\windows\system32\drivers\mswhia.sys []
S2 msxulk;msxulk;\??\c:\windows\system32\drivers\msxulk.sys []
S2 msyzut;msyzut;\??\c:\windows\system32\drivers\msyzut.sys []
S2 nsbopx;nsbopx;\??\c:\windows\system32\drivers\nsbopx.sys []
S2 nseoew;nseoew;\??\c:\windows\system32\drivers\nseoew.sys []
S2 nshpme;nshpme;\??\c:\windows\system32\drivers\nshpme.sys []
S2 nsjngk;nsjngk;\??\c:\windows\system32\drivers\nsjngk.sys []
S2 nsnvnr;nsnvnr;\??\c:\windows\system32\drivers\nsnvnr.sys []
S2 nspkxi;nspkxi;\??\c:\windows\system32\drivers\nspkxi.sys []
S2 nsqafs;nsqafs;\??\c:\windows\system32\drivers\nsqafs.sys []
S2 nsumkl;nsumkl;\??\c:\windows\system32\drivers\nsumkl.sys []
S2 nszset;nszset;\??\c:\windows\system32\drivers\nszset.sys []
S2 osduiq;osduiq;\??\c:\windows\system32\drivers\osduiq.sys []
S2 osetgd;osetgd;\??\c:\windows\system32\drivers\osetgd.sys []
S2 osfpec;osfpec;\??\c:\windows\system32\drivers\osfpec.sys []
S2 osjygb;osjygb;\??\c:\windows\system32\drivers\osjygb.sys []
S2 osmopb;osmopb;\??\c:\windows\system32\drivers\osmopb.sys []
S2 osqszm;osqszm;\??\c:\windows\system32\drivers\osqszm.sys []
S2 osrhpa;osrhpa;\??\c:\windows\system32\drivers\osrhpa.sys []
S2 osyjmi;osyjmi;\??\c:\windows\system32\drivers\osyjmi.sys []
S2 XaWin;XaWin;c:\windows\System32\svchost.exe -k netsvcs [2002-08-01 14336]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2008-11-16 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2008-11-16 43392]
S4 hpt3xx;hpt3xx; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
XaWin
.
¡®¼Æ»®ÈÎÎñ¡¯ ÎÄ¼þ¼Ð ÀïµÄÄÚÈÝ

2008-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 00:25:58
Windows 5.1.2600 Service Pack 2 NTFS

É¨Ãè±»Òþ²ØµÄ½ø³Ì¡£¡£¡£ ...

É¨Ãè±»Òþ²ØµÄÆô¶¯×é¡£¡£¡£

É¨Ãè±»Òþ²ØµÄÎÄ¼þ¡£¡£¡£

É¨ÃèÍê³É
±»Òþ²ØµÄµµ°¸: 0

**************************************************************************
.
------------------------ ÆäËûÔËÐÐ½ø³Ì ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\conime.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Íê³ÉÊ±¼ä: 2008-11-18 0:35:39 - µçÄÔÒÑÖØÐÂÆô¶¯
ComboFix-quarantined-files.txt 2008-11-18 05:35:15
ComboFix2.txt 2008-11-17 05:27:21

Pre-Run: 20,341,202,944 bytes free
Post-Run: 20,324,753,408 bytes free

213 --- E O F --- 2008-11-18 03:10:02