Solved Help Please - HijackThis Logfile [Vundo and more]

[Resolved] Help Please - HijackThis Logfile [Vundo and more]

Please Help :-D!


Logfile of HijackThis v1.99.1
Scan saved at 7:48:57 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
E:\WINDOWS\system32\dwwin.exe
E:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\HJT\HijackThis1.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - E:\WINDOWS\system32\fffvcqep.dll
O2 - BHO: (no name) - {88E9C04C-9139-40C2-BE58-8FB89F0B136B} - E:\WINDOWS\system32\jkkjj.dll
O2 - BHO: 0 - {B4DF8B34-618A-455A-4EAD-C7B94404F76D} - C:\Program Files\Mozilla Firefox\qufap448.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - E:\WINDOWS\system32\rqrsqpp.dll
O4 - HKLM\..\Run: [MSOffice] rundll32.exe "E:\WINDOWS\system32\nuacvkrs.dll ",sitypnow
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871446015
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: jkkjj - E:\WINDOWS\system32\jkkjj.dll
O20 - Winlogon Notify: LMIinit - E:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: rqrsqpp - E:\WINDOWS\SYSTEM32\rqrsqpp.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

 

Hi annabanana973

I've moved your post to the appropriate forum and adjusted the title. In the future, please give your topics a title that more reflects your problem, and provide us with some details as well. Thanks!

Your computer is badly infected and it will require the use of several tools to get it clean. Please follow all instructions and post all logs as requested. We'll start with VundoFix.

Download VundoFix by Atribune, saving it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

 

VundoFix.txt and HijackThis.log

VundoFix V6.5.8

Checking Java version...

Sun Java not detected
Scan started at 8:24:36 AM 9/10/2007

Listing files found while scanning....

E:\WINDOWS\system32\fffvcqep.dll
E:\WINDOWS\system32\jjkkj.bak1
E:\WINDOWS\system32\jjkkj.bak2
E:\WINDOWS\system32\jjkkj.ini
E:\WINDOWS\system32\jkkjj.dll
E:\WINDOWS\system32\nijvlfdg.dll
E:\WINDOWS\system32\rqrsqpp.dll
E:\WINDOWS\system32\tmp18.tmp.dll

Beginning removal...

Attempting to delete E:\WINDOWS\system32\fffvcqep.dll
E:\WINDOWS\system32\fffvcqep.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\jjkkj.bak1
E:\WINDOWS\system32\jjkkj.bak1 Has been deleted!

Attempting to delete E:\WINDOWS\system32\jjkkj.bak2
E:\WINDOWS\system32\jjkkj.bak2 Has been deleted!

Attempting to delete E:\WINDOWS\system32\jjkkj.ini
E:\WINDOWS\system32\jjkkj.ini Has been deleted!

Attempting to delete E:\WINDOWS\system32\jkkjj.dll
E:\WINDOWS\system32\jkkjj.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\nijvlfdg.dll
E:\WINDOWS\system32\nijvlfdg.dll Could not be deleted.

Attempting to delete E:\WINDOWS\system32\rqrsqpp.dll
E:\WINDOWS\system32\rqrsqpp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.8

Checking Java version...

Sun Java not detected
Scan started at 8:29:01 AM 9/10/2007

Listing files found while scanning....

No infected files were found.

-----------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:34:28 AM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
e:\program files\internet explorer\iexplore.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {52451406-DB5A-49FD-91A4-7A801F6C8E15} - E:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: 0 - {B4DF8B34-618A-455A-4EAD-C7B94404F76D} - C:\Program Files\Mozilla Firefox\qufap448.dll
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\pubhffboa.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871446015
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: LMIinit - E:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

 

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

ComboFix and HijackThis

ComboFix 07-09-10.6 - "Anna Luzzi" 2007-09-11 9:25:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.751 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\dobe~1
C:\Program Files\inetget2
C:\Program Files\Mozilla Firefox\qufap.dll
C:\Program Files\Mozilla Firefox\qufap448.dll
C:\Program Files\Mozilla Firefox\rtened.html
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\Ultimate Defender
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\.rdr.ini
E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\WinAntiSpyware 2007
E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\WinAntiSpyware 2007 Free
E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
E:\DOCUME~1\ANNALU~1.ANN\err.log
E:\DOCUME~1\ANNALU~1.ANN\temp.tpk
E:\WINDOWS\asks~1
E:\WINDOWS\b103.exe
E:\WINDOWS\b104.exe
E:\WINDOWS\b122.exe
E:\WINDOWS\b129.exe
E:\WINDOWS\cookies.ini
E:\WINDOWS\cs_cache.ini
E:\WINDOWS\retadpu1000106.exe
E:\WINDOWS\retadpu77.exe
E:\WINDOWS\svhost.exe
E:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
E:\WINDOWS\system32\drivers\fopn.sys
E:\WINDOWS\system32\f10WtR
E:\WINDOWS\system32\f10WtR\f10WtR1099.exe
E:\WINDOWS\system32\pubhffboa.dll
E:\WINDOWS\system32\regscan.exe
E:\WINDOWS\system32\smpi1
E:\WINDOWS\system32\smpi1\DealioKit1-stub-0.exe
E:\WINDOWS\system32\smpi1\lib06.exe
E:\WINDOWS\system32\smpi1\lib67.exe
E:\WINDOWS\system32runonce2.t__
E:\WINDOWS\system32runonce2.tm_
E:\WINDOWS\tk58.exe
E:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_QQD.SYS
-------\ApiMon
-------\fopn
-------\qqd.sys


((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-10 08:22 87,616 --------- E:\WINDOWS\system32\nijvlfdg.dll
2007-08-31 09:49 87,616 --a------ E:\WINDOWS\system32\tfyqtglk.dll
2007-08-30 02:13 87,616 --a------ E:\WINDOWS\system32\piludhqq.dll
2007-08-30 01:37 87,616 --a------ E:\WINDOWS\system32\ocuomito.dll
2007-08-30 00:37 76,560 --a------ E:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-29 01:36 87,616 --a------ E:\WINDOWS\system32\wspsgbcv.dll
2007-08-26 09:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-26 09:04 87,616 --a------ E:\WINDOWS\system32\yonxlkbs.dll
2007-08-17 18:17 <DIR> d-------- E:\WINDOWS\system32\ICM3
2007-08-17 18:17 <DIR> d-------- E:\WINDOWS\system32\CC1
2007-08-17 18:17 <DIR> d-------- E:\WINDOWS\system32\bgfig5
2007-08-15 20:32 26,176 --a------ E:\WINDOWS\system32\0BCE7naA.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-30 01:16 --------- d-------- C:\Program Files\Lavasoft Ad-Aware
2007-08-26 09:30 --------- d-------- C:\Program Files\Lavasoft
2007-08-26 09:19 --------- d-------- C:\Program Files\TorrentQ
2007-08-26 09:16 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-26 09:07 --------- d-------- C:\Program Files\Image2Ico
2007-08-26 09:07 --------- d-------- C:\Program Files\Colorful Movie Editor
2007-08-26 09:03 --------- d-------- C:\Program Files\LogMeIn
2007-08-06 09:45 --------- d-------- E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\LimeWire
2007-06-17 00:11 51200 --a------ E:\WINDOWS\nircmd.exe
2007-06-12 22:43 11264 --ahs---- C:\Program Files\Thumbs.db
2007-05-12 14:08 675 --a------ E:\DOCUME~1\ANNALU~1.ANN\clean.reg
2007-03-10 21:06 1694616 --a------ C:\Program Files\daemon408-139-x64.exe
2006-09-02 19:30 0 --a------ C:\Program Files\Sony.Vegas.v6.0B.Build.115_Serial.Keygen_Serial WorKiNG.rar
2006-09-02 17:35 0 --a------ C:\Program Files\SONY.Vegas.6.0c.FULL.Include.Keymaker-PDX.zip
2006-05-06 03:09 495310848 --a------ C:\Program Files\Microsoft Office XP.ISO
2002-05-19 20:36 75 --a------ C:\Program Files\Admin_Standalone.url
2002-05-19 20:36 70 --a------ C:\Program Files\Admin.url
2002-05-19 20:36 102 --a------ C:\Program Files\Docs_Standalone.url
2002-05-19 20:36 102 --a------ C:\Program Files\Docs.url
2002-05-08 17:08 25214 --a------ C:\Program Files\cf_app.ico
2002-03-18 12:58 4518 --a------ C:\Program Files\mm_ns.css
2002-03-18 12:58 3735 --a------ C:\Program Files\mm_ie.css
2005-07-29 20:24:26 472 --sha-r E:\WINDOWS\QW5uYSBMdXp6aQ\kqcRsm1gxrDduk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52451406-DB5A-49FD-91A4-7A801F6C8E15}]
E:\WINDOWS\system32\jkkjj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig "= "E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 18:56]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-19 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"IPConfig "=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 E:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anna Luzzi^Start Menu^Programs^Adobe^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Anna Luzzi\Start Menu\Programs\Adobe\Startup\Adobe Gamma.lnk
backup=E:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anna Luzzi^Start Menu^Programs^Adobe^Startup^IMVU.lnk]
path=C:\Documents and Settings\Anna Luzzi\Start Menu\Programs\Adobe\Startup\IMVU.lnk
backup=E:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=E:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=E:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=E:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=E:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=E:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\359511908.exe]
E:\WINDOWS\system32\359511908.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\696224658.exe]
E:\WINDOWS\system32\696224658.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\common files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECT!]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\Ipwindows\ipwins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Math Meta 1 About]
C:\Documents and Settings\All Users\Application Data\TrustKindMathMeta\Ballsect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mebeluv]
C:\Program Files\movie maker\mebeluv22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSOffice]
rundll32.exe "E:\WINDOWS\system32\yonxlkbs.dll ",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rect Idle]
E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\SHOWEX~1\long send audio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
E:\WINDOWS\system32\regscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Restore Operation]
E:\DOCUME~1\ANNALU~1.ANN\LOCALS~1\Temp\svchots.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
E:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svhost]
"E:\WINDOWS\svhost.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Agent]
"C:\Program Files\Sync Manager\agent\syncagent.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
"C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]
rundll32.exe "E:\WINDOWS\system32\nlfnhfyb.dll ",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{3C-C9-91-1C-ZN}]
e:\windows\system32\dwdsregt.exe SKY001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6831F5EA-0960-1033-0430-020624030001}]
"C:\Program Files\Common Files\{6831F5EA-0960-1033-0430-020624030001}\Update.exe" te-110-12-0000213

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CAISafe "=3 (0x3)
"Browser "=2 (0x2)
"vsmon "=2 (0x2)
"iPodService "=3 (0x3)
"SQLAgent$SONY_MEDIAMGR "=3 (0x3)
"rpcapd "=3 (0x3)
"Pml Driver HPZ12 "=2 (0x2)
"MSSQL$SONY_MEDIAMGR "=3 (0x3)
"mple7docserver "=2 (0x2)
"LogMeIn "=2 (0x2)
"LMIMaint "=2 (0x2)
"IDriverT "=3 (0x3)
"ColdFusion MX ODBC Server "=2 (0x2)
"ColdFusion MX ODBC Agent "=2 (0x2)
"ColdFusion MX Application Server "=2 (0x2)
"CLTNetCnService "=2 (0x2)
"Autodesk Licensing Service "=2 (0x2)
"Adobe LM Service "=3 (0x3)
"aawservice "=2 (0x2)

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\E:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 LMImirr;LMImirr;E:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 ATE_PROCMON;ATE_PROCMON;\??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys
S4 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\Program Files\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent "
S4 mple7docserver;Maya 7 PLE Documentation Server; "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf "

.
Contents of the 'Scheduled Tasks' folder
"2007-08-27 04:01:38 E:\WINDOWS\Tasks\At1.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-09-10 13:01:30 E:\WINDOWS\Tasks\At10.job "
"2007-08-27 14:01:35 E:\WINDOWS\Tasks\At11.job "
"2007-08-19 15:01:00 E:\WINDOWS\Tasks\At12.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 16:01:00 E:\WINDOWS\Tasks\At13.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 17:01:00 E:\WINDOWS\Tasks\At14.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 18:01:00 E:\WINDOWS\Tasks\At15.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 19:01:00 E:\WINDOWS\Tasks\At16.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 20:01:00 E:\WINDOWS\Tasks\At17.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 21:01:00 E:\WINDOWS\Tasks\At18.job "
"2007-08-19 22:01:00 E:\WINDOWS\Tasks\At19.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-27 05:01:37 E:\WINDOWS\Tasks\At2.job "
"2007-08-17 23:01:00 E:\WINDOWS\Tasks\At20.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-16 00:32:30 E:\WINDOWS\Tasks\At21.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-16 01:01:05 E:\WINDOWS\Tasks\At22.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-16 00:32:30 E:\WINDOWS\Tasks\At23.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 03:01:57 E:\WINDOWS\Tasks\At24.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-29 06:01:31 E:\WINDOWS\Tasks\At3.job "
"2007-08-29 07:01:00 E:\WINDOWS\Tasks\At4.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-18 08:01:00 E:\WINDOWS\Tasks\At5.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-19 09:01:54 E:\WINDOWS\Tasks\At6.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-27 10:01:33 E:\WINDOWS\Tasks\At7.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-08-27 11:01:35 E:\WINDOWS\Tasks\At8.job "
"2007-08-19 12:01:00 E:\WINDOWS\Tasks\At9.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-01-02 13:10:21 E:\WINDOWS\Tasks\Uniblue SpyEraser.job "
- C:\program files\uniblue\spyeraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 09:29:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 9:30:18 - machine was rebooted
E:\ComboFix-quarantined-files.txt ... 2007-09-11 09:30
E:\ComboFix2.txt ... 2007-05-12 13:25
E:\ComboFix3.txt ... 2007-01-08 18:01
.
--- E O F ---


--------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:43:17 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {52451406-DB5A-49FD-91A4-7A801F6C8E15} - E:\WINDOWS\system32\jkkjj.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871446015
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: LMIinit - E:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

 

Please delete the copy of HijackThis.exe you currently have and replace it with a fresh copy from here.

Scan again with HijackThis and fix the following entry.

O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)

Close HijackThis.

Delete the copy of ComboFix.exe you have. I need you to download an updated version from here. Save it to your desktop.


Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
E:\WINDOWS\system32\nijvlfdg.dll
E:\WINDOWS\system32\tfyqtglk.dll
E:\WINDOWS\system32\piludhqq.dll
E:\WINDOWS\system32\ocuomito.dll
E:\WINDOWS\system32\wspsgbcv.dll
E:\WINDOWS\system32\yonxlkbs.dll
E:\WINDOWS\system32\0BCE7naA.exe
E:\WINDOWS\Tasks\At1.job
E:\WINDOWS\Tasks\At2.job
E:\WINDOWS\Tasks\At3.job
E:\WINDOWS\Tasks\At4.job
E:\WINDOWS\Tasks\At5.job
E:\WINDOWS\Tasks\At6.job
E:\WINDOWS\Tasks\At7.job
E:\WINDOWS\Tasks\At8.job
E:\WINDOWS\Tasks\At9.job
E:\WINDOWS\Tasks\At10.job
E:\WINDOWS\Tasks\At11.job
E:\WINDOWS\Tasks\At12.job
E:\WINDOWS\Tasks\At13.job
E:\WINDOWS\Tasks\At14.jo
E:\WINDOWS\Tasks\At15.job
E:\WINDOWS\Tasks\At16.job
E:\WINDOWS\Tasks\At17.job
E:\WINDOWS\Tasks\At18.job
E:\WINDOWS\Tasks\At19.job
E:\WINDOWS\Tasks\At20.job
E:\WINDOWS\Tasks\At21.job
E:\WINDOWS\Tasks\At22.job
E:\WINDOWS\Tasks\At23.job
E:\WINDOWS\Tasks\At24.job

Folder::
E:\WINDOWS\QW5uYSBMdXp6aQ

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52451406-DB5A-49FD-91A4-7A801F6C8E15}]
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="Black"]currentversion[/COLOR]\runservices]
 "IPConfig "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\359511908.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\696224658.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSOffice]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rect Idle]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Restore Operation]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svhost]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{3C-C9-91-1C-ZN}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6831F5EA-0960-1033-0430-020624030001}]

DirLook::
E:\WINDOWS\system32\ICM3
E:\WINDOWS\system32\CC1
E:\WINDOWS\system32\bgfig5

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log. Create a fresh HijackThis log at this time and post it as well.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

ComboFix and HijackThis

ComboFix 07-09-12.4 - "Anna Luzzi" 2007-09-12 9:00:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.742 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Anna Luzzi\Desktop\CFScript.txt
* Created a new restore point

FILE::
E:\WINDOWS\system32\nijvlfdg.dll
E:\WINDOWS\system32\tfyqtglk.dll
E:\WINDOWS\system32\piludhqq.dll
E:\WINDOWS\system32\ocuomito.dll
E:\WINDOWS\system32\wspsgbcv.dll
E:\WINDOWS\system32\yonxlkbs.dll
E:\WINDOWS\system32\0BCE7naA.exe
E:\WINDOWS\Tasks\At1.job
E:\WINDOWS\Tasks\At2.job
E:\WINDOWS\Tasks\At3.job
E:\WINDOWS\Tasks\At4.job
E:\WINDOWS\Tasks\At5.job
E:\WINDOWS\Tasks\At6.job
E:\WINDOWS\Tasks\At7.job
E:\WINDOWS\Tasks\At8.job
E:\WINDOWS\Tasks\At9.job
E:\WINDOWS\Tasks\At10.job
E:\WINDOWS\Tasks\At11.job
E:\WINDOWS\Tasks\At12.job
E:\WINDOWS\Tasks\At13.job
E:\WINDOWS\Tasks\At14.jo
E:\WINDOWS\Tasks\At15.job
E:\WINDOWS\Tasks\At16.job
E:\WINDOWS\Tasks\At17.job
E:\WINDOWS\Tasks\At18.job
E:\WINDOWS\Tasks\At19.job
E:\WINDOWS\Tasks\At20.job
E:\WINDOWS\Tasks\At21.job
E:\WINDOWS\Tasks\At22.job
E:\WINDOWS\Tasks\At23.job
E:\WINDOWS\Tasks\At24.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\QW5uYSBMdXp6aQ
E:\WINDOWS\QW5uYSBMdXp6aQ\kqcRsm1gxrDduk.vbs
E:\WINDOWS\system32\0BCE7naA.exe
E:\WINDOWS\system32\nijvlfdg.dll
E:\WINDOWS\system32\ocuomito.dll
E:\WINDOWS\system32\piludhqq.dll
E:\WINDOWS\system32\tfyqtglk.dll
E:\WINDOWS\system32\wspsgbcv.dll
E:\WINDOWS\system32\yonxlkbs.dll
E:\WINDOWS\Tasks\At1.job
E:\WINDOWS\Tasks\At10.job
E:\WINDOWS\Tasks\At11.job
E:\WINDOWS\Tasks\At12.job
E:\WINDOWS\Tasks\At13.job
E:\WINDOWS\Tasks\At15.job
E:\WINDOWS\Tasks\At16.job
E:\WINDOWS\Tasks\At17.job
E:\WINDOWS\Tasks\At18.job
E:\WINDOWS\Tasks\At19.job
E:\WINDOWS\Tasks\At2.job
E:\WINDOWS\Tasks\At20.job
E:\WINDOWS\Tasks\At21.job
E:\WINDOWS\Tasks\At22.job
E:\WINDOWS\Tasks\At23.job
E:\WINDOWS\Tasks\At24.job
E:\WINDOWS\Tasks\At3.job
E:\WINDOWS\Tasks\At4.job
E:\WINDOWS\Tasks\At5.job
E:\WINDOWS\Tasks\At6.job
E:\WINDOWS\Tasks\At7.job
E:\WINDOWS\Tasks\At8.job
E:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-08-30 00:37 76,560 --a------ E:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-26 09:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-17 18:17 <DIR> d-------- E:\WINDOWS\system32\ICM3
2007-08-17 18:17 <DIR> d-------- E:\WINDOWS\system32\CC1
2007-08-17 18:17 <DIR> d-------- E:\WINDOWS\system32\bgfig5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 23:38 --------- d-------- C:\Program Files\Trend Micro
2007-08-30 01:16 --------- d-------- C:\Program Files\Lavasoft Ad-Aware
2007-08-26 09:30 --------- d-------- C:\Program Files\Lavasoft
2007-08-26 09:19 --------- d-------- C:\Program Files\TorrentQ
2007-08-26 09:16 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-26 09:07 --------- d-------- C:\Program Files\Image2Ico
2007-08-26 09:07 --------- d-------- C:\Program Files\Colorful Movie Editor
2007-08-26 09:03 --------- d-------- C:\Program Files\LogMeIn
2007-08-06 09:45 --------- d-------- E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\LimeWire
2007-06-17 00:11 51200 --a------ E:\WINDOWS\nircmd.exe
2007-06-12 22:43 11264 --ahs---- C:\Program Files\Thumbs.db
2007-05-12 14:08 675 --a------ E:\DOCUME~1\ANNALU~1.ANN\clean.reg
2007-03-10 21:06 1694616 --a------ C:\Program Files\daemon408-139-x64.exe
2006-09-02 19:30 0 --a------ C:\Program Files\Sony.Vegas.v6.0B.Build.115_Serial.Keygen_Serial WorKiNG.rar
2006-09-02 17:35 0 --a------ C:\Program Files\SONY.Vegas.6.0c.FULL.Include.Keymaker-PDX.zip
2006-05-06 03:09 495310848 --a------ C:\Program Files\Microsoft Office XP.ISO
2002-05-19 20:36 75 --a------ C:\Program Files\Admin_Standalone.url
2002-05-19 20:36 70 --a------ C:\Program Files\Admin.url
2002-05-19 20:36 102 --a------ C:\Program Files\Docs_Standalone.url
2002-05-19 20:36 102 --a------ C:\Program Files\Docs.url
2002-05-08 17:08 25214 --a------ C:\Program Files\cf_app.ico
2002-03-18 12:58 4518 --a------ C:\Program Files\mm_ns.css
2002-03-18 12:58 3735 --a------ C:\Program Files\mm_ie.css
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of E:\WINDOWS\system32\ICM3 ----

2007-08-08 03:30 116351 --a------ E:\WINDOWS\system32\ICM3\nbv22011.exe

---- Directory of E:\WINDOWS\system32\CC1 ----

2007-07-18 09:50 398136 --a------ E:\WINDOWS\system32\CC1\mon123bcz.exe

---- Directory of E:\WINDOWS\system32\bgfig5 ----

2007-07-31 09:21 8790 --a------ E:\WINDOWS\system32\bgfig5\xd01225.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig "= "E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 18:56]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-19 00:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 E:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anna Luzzi^Start Menu^Programs^Adobe^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Anna Luzzi\Start Menu\Programs\Adobe\Startup\Adobe Gamma.lnk
backup=E:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anna Luzzi^Start Menu^Programs^Adobe^Startup^IMVU.lnk]
path=C:\Documents and Settings\Anna Luzzi\Start Menu\Programs\Adobe\Startup\IMVU.lnk
backup=E:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=E:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=E:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=E:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=E:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=E:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\common files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECT!]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Math Meta 1 About]
C:\Documents and Settings\All Users\Application Data\TrustKindMathMeta\Ballsect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mebeluv]
C:\Program Files\movie maker\mebeluv22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CAISafe "=3 (0x3)
"Browser "=2 (0x2)
"vsmon "=2 (0x2)
"iPodService "=3 (0x3)
"SQLAgent$SONY_MEDIAMGR "=3 (0x3)
"rpcapd "=3 (0x3)
"Pml Driver HPZ12 "=2 (0x2)
"MSSQL$SONY_MEDIAMGR "=3 (0x3)
"mple7docserver "=2 (0x2)
"LogMeIn "=2 (0x2)
"LMIMaint "=2 (0x2)
"IDriverT "=3 (0x3)
"ColdFusion MX ODBC Server "=2 (0x2)
"ColdFusion MX ODBC Agent "=2 (0x2)
"ColdFusion MX Application Server "=2 (0x2)
"CLTNetCnService "=2 (0x2)
"Autodesk Licensing Service "=2 (0x2)
"Adobe LM Service "=3 (0x3)
"aawservice "=2 (0x2)

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\E:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 LMImirr;LMImirr;E:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 ATE_PROCMON;ATE_PROCMON;\??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys
S4 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\Program Files\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent "
S4 mple7docserver;Maya 7 PLE Documentation Server; "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf "

.
Contents of the 'Scheduled Tasks' folder
"2007-08-19 17:01:00 E:\WINDOWS\Tasks\At14.job "
- E:\WINDOWS\system32\0BCE7naA.exe
"2007-01-02 13:10:21 E:\WINDOWS\Tasks\Uniblue SpyEraser.job "
- C:\program files\uniblue\spyeraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 09:04:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 9:05:46 - machine was rebooted
E:\ComboFix-quarantined-files.txt ... 2007-09-12 09:05
E:\ComboFix2.txt ... 2007-09-11 09:30
E:\ComboFix3.txt ... 2007-05-12 13:25
.
--- E O F ---

-----------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:55 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871446015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3124 bytes

 

A few things left to get rid of.

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
E:\WINDOWS\Tasks\At14.job

Folder::
E:\WINDOWS\system32\ICM3
E:\WINDOWS\system32\CC1
E:\WINDOWS\system32\bgfig5

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Do you recognize these? Are they legit?

C:\Program Files\Admin_Standalone.url
C:\Program Files\Admin.url
C:\Program Files\Docs_Standalone.url
C:\Program Files\Docs.url
C:\Program Files\cf_app.ico
C:\Program Files\mm_ns.css
C:\Program Files\mm_ie.css



If these are what I think, you'd be better off steering clear of such things.

C:\Program Files\Sony.Vegas.v6.0B.Build.115_Serial.Keygen_Serial WorKiNG.rar
C:\Program Files\SONY.Vegas.6.0c.FULL.Include.Keymaker-PDX.zip

 

ComboFix and more!!

ComboFix 07-09-12.4 - "Anna Luzzi" 2007-09-12 20:36:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.748 [GMT -4:00]
* Created a new restore point

FILE::
E:\WINDOWS\Tasks\At14.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\bgfig5
E:\WINDOWS\system32\bgfig5\xd01225.exe
E:\WINDOWS\system32\CC1
E:\WINDOWS\system32\CC1\mon123bcz.exe
E:\WINDOWS\system32\ICM3
E:\WINDOWS\system32\ICM3\nbv22011.exe
E:\WINDOWS\Tasks\At14.job

.
((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-08-30 00:37 76,560 --a------ E:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-26 09:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 09:07 --------- d-------- C:\Program Files\Trend Micro
2007-08-30 01:16 --------- d-------- C:\Program Files\Lavasoft Ad-Aware
2007-08-26 09:30 --------- d-------- C:\Program Files\Lavasoft
2007-08-26 09:19 --------- d-------- C:\Program Files\TorrentQ
2007-08-26 09:16 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-26 09:07 --------- d-------- C:\Program Files\Image2Ico
2007-08-26 09:07 --------- d-------- C:\Program Files\Colorful Movie Editor
2007-08-26 09:03 --------- d-------- C:\Program Files\LogMeIn
2007-08-06 09:45 --------- d-------- E:\DOCUME~1\ANNALU~1.ANN\APPLIC~1\LimeWire
2007-06-17 00:11 51200 --a------ E:\WINDOWS\nircmd.exe
2007-06-12 22:43 11264 --ahs---- C:\Program Files\Thumbs.db
2007-05-12 14:08 675 --a------ E:\DOCUME~1\ANNALU~1.ANN\clean.reg
2007-03-10 21:06 1694616 --a------ C:\Program Files\daemon408-139-x64.exe
2006-09-02 19:30 0 --a------ C:\Program Files\Sony.Vegas.v6.0B.Build.115_Serial.Keygen_Serial WorKiNG.rar
2006-09-02 17:35 0 --a------ C:\Program Files\SONY.Vegas.6.0c.FULL.Include.Keymaker-PDX.zip
2006-05-06 03:09 495310848 --a------ C:\Program Files\Microsoft Office XP.ISO
2002-05-19 20:36 75 --a------ C:\Program Files\Admin_Standalone.url
2002-05-19 20:36 70 --a------ C:\Program Files\Admin.url
2002-05-19 20:36 102 --a------ C:\Program Files\Docs_Standalone.url
2002-05-19 20:36 102 --a------ C:\Program Files\Docs.url
2002-05-08 17:08 25214 --a------ C:\Program Files\cf_app.ico
2002-03-18 12:58 4518 --a------ C:\Program Files\mm_ns.css
2002-03-18 12:58 3735 --a------ C:\Program Files\mm_ie.css
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig "= "E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 18:56]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-19 00:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 E:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anna Luzzi^Start Menu^Programs^Adobe^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Anna Luzzi\Start Menu\Programs\Adobe\Startup\Adobe Gamma.lnk
backup=E:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anna Luzzi^Start Menu^Programs^Adobe^Startup^IMVU.lnk]
path=C:\Documents and Settings\Anna Luzzi\Start Menu\Programs\Adobe\Startup\IMVU.lnk
backup=E:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=E:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=E:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=E:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=E:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=E:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\common files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECT!]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Math Meta 1 About]
C:\Documents and Settings\All Users\Application Data\TrustKindMathMeta\Ballsect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mebeluv]
C:\Program Files\movie maker\mebeluv22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CAISafe "=3 (0x3)
"Browser "=2 (0x2)
"vsmon "=2 (0x2)
"iPodService "=3 (0x3)
"SQLAgent$SONY_MEDIAMGR "=3 (0x3)
"rpcapd "=3 (0x3)
"Pml Driver HPZ12 "=2 (0x2)
"MSSQL$SONY_MEDIAMGR "=3 (0x3)
"mple7docserver "=2 (0x2)
"LogMeIn "=2 (0x2)
"LMIMaint "=2 (0x2)
"IDriverT "=3 (0x3)
"ColdFusion MX ODBC Server "=2 (0x2)
"ColdFusion MX ODBC Agent "=2 (0x2)
"ColdFusion MX Application Server "=2 (0x2)
"CLTNetCnService "=2 (0x2)
"Autodesk Licensing Service "=2 (0x2)
"Adobe LM Service "=3 (0x3)
"aawservice "=2 (0x2)

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\E:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 LMImirr;LMImirr;E:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 ATE_PROCMON;ATE_PROCMON;\??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys
S4 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\Program Files\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent "
S4 mple7docserver;Maya 7 PLE Documentation Server; "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf "

.
Contents of the 'Scheduled Tasks' folder
"2007-01-02 13:10:21 E:\WINDOWS\Tasks\Uniblue SpyEraser.job "
- C:\program files\uniblue\spyeraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 20:40:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 20:41:32 - machine was rebooted
E:\ComboFix-quarantined-files.txt ... 2007-09-12 20:41
E:\ComboFix2.txt ... 2007-09-12 09:05
E:\ComboFix3.txt ... 2007-09-11 09:30
.
--- E O F ---



Yeah, I don't recognize any of those files... and yes being poor makes you do crazy things... btw.. my biggest problem actually is just getting my internet to work for more than 15 minutes at a time. My internet is hooked up to a router and I'm guessing that the router isn't the problem because I also have xbox live connected to it and it doesn't shut off every 15 minutes. I even have linux on my computer and the internet doesn't go out on there either. I've tried going to control panel, clicking network connections, enabling and disabling it, and even repairing it and nothing works. Help!!! I would be on linux if I didn't have so much school work that requires internet explorer and microsoft office.

 

Go to C:\Program Files and create a new folder. Name it suspect. Now hold down on the Ctrl button and click each of those 7 files I asked about 1 time so that they are all selected. Right click any one of them and select Cut. Click the suspect folder 1 time, then right click on it and select Paste. Those files should now be in the suspect folder. Right click the folder and select Send To>Compressed (zipped) Folder. A new file, suspect.zip will appear. Please upload that zip file to my submission channel. Leave a link back to this topic.

Delete the following files/folders.

C:\ComboFix
C:\QOOBOX
C:\VundoFix Backups
C:\WINDOWS\nircmd.exe
combofix.exe
vundofix.exe
all combofix and vundofix logs

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot.

Download and install AVG Anti-Spyware (AVG-AS)

• When installation completes, start AVG-AS then click the Update tab at the top. Under Manual Update click Start update.
• After the update finishes (the status bar at the bottom will display "Update successful "), click on the Scanner tab at the top.
• Click the "Settings" tab and change the recommended action to Quarantine.
• Click Automatically generate report after every scan.
• Go back to the "Scan" tab and click "Complete System Scan ". This scan can take quite a while to run, so sit back and wait.
• AVG-AS will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
• Click the Apply all actions button. AVG-AS will display "All actions have been applied" on the right hand side.
• Click on "Save Report ", then "Save Report As ". Save the report where you know you can find it again (like on the Desktop) and take note of the name.
• Close AVG-AS and reboot.

Please post the contents of a new HiJackThis log and the AVG-AS report.


Let me know if your internet connection still drops out, and if so, how often. I'd also like to know what you do to get online again.

 

Hijackthis and stuff...

Okay, I uploaded it. I put a link to this forum.... http://www.windowsbbs.com/showthread.php?t=67417
It says, "Your file was successfully submitted. Please let the user helping you know that you have submitted the file. "

I deleted

C:\ComboFix
C:\QOOBOX -
C:\VundoFix Backups
C:\WINDOWS\nircmd.exe
combofix.exe
vundofix.exe
all combofix and vundofix logs

from my E drive. I didn't see it on my C drive.

I scanned with the AVG and it got everything, I wasn't able to save a logfile, I don't know why. It didn't give me that option after the scan, I even when into program files, grisoft, avg, and I still didn't see a logfile of it saved after the scan. I have the Hijack logfile... I guess I'll try and run another scan with AVG and post that.

Just thought I'd throw this out there... I went to start, run, typed msconfig, and I noticed on my startup I have some programs there that look like malware one of them is like dealioAU.exe

Anyway, yeah like I said my internet just goes out every 15 minutes or so. To get back on the internet I have to restart my computer. I don't know, maybe it could be my router, do you know how I can go about fixing it?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:42 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871446015
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3642 bytes

 

Sorry about the error on my part, RE: drive C: and E:

You should open msconfig again, check ALL boxes then close. When prompted, click 'Exit without restart'. We'll come back to that in a minute.

You can uninstall it via Add/Remove Programs if this is not something you want. If you intend to remove it, do so now. Do NOT restart the machine if prompted.

Open AVG-AS and click the Reports icon at the top. There should be one listed for the scan you just did. Select it, then click Save Report As. Give it a name and save it to the desktop.

Do another scan with HijackThis and save the log. Post it here along with the AVG-AS report.

We'll take care of the msconfig items once the HijackThis log is posted. Don't reboot until after we've finished (won't take long ).

I got the zip file ........ thanks! I'll look it over and advise accordingly in my next reply.

 

Hijackthis and stuff...

Okay, well you said check all boxes, I'm assuming you mean to enable to all up startup, so I did that.
I went to add/remove programs, but I don't see the dealio or any other suspicous looking program there.
So I didn't delete anything there.

I went to AVG-AS and clicked reports, it says "No reports available ".
Should I scan again anyway? Here's the Hijackthis again... I haven't restarted my computer yet.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:18 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VideoLAN\VLC\vlc.exe
E:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [mebeluv] C:\Program Files\movie maker\mebeluv22011.exe
O4 - HKLM\..\Run: [Math Meta 1 About] C:\Documents and Settings\All Users\Application Data\TrustKindMathMeta\Ballsect.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [DIRECT!] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\common files\Adobe\Updater\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - User Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871446015
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6014 bytes

 

The files you moved to the suspect folder are part of Mcromedia's Cold Fusion. They are safe and can be moved back or left where they are.

Scan again with HijackThis and place a check next to the following entries.

O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [mebeluv] C:\Program Files\movie maker\mebeluv22011.exe
O4 - HKLM\..\Run: [Math Meta 1 About] C:\Documents and Settings\All Users\Application Data\TrustKindMathMeta\Ballsect.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [DIRECT!] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - User Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

If you do not want AIM to startup when you logon, you can fix it's entry too.

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

Now, click Fix Checked.

Delete the folder C:\Program Files\Dealio if present.

Please download the AVG Free antivirus and save the file to your desktop.

Restart the computer now.

Upon reboot, install AVG and update it. Restart if/when prompted. Now run a full scan on the system. Post back with the results and a new HijackThis log.

Let me know how things are working and if you're still experiencing connection problems.

 

Ah, cant save AVG report...

Yeah, I kinda figured when I saw the icon that it was cold fusion, the cf_app.ico. But the rest of the
stuff I had no idea what it was. Anyway...

C:\Program Files\Dealio wasn't there.

I uninstalled and reinstalled the AVG scanner. I went to settings, changed it to quaratine, and checked automatically
generate report after every scan. I scanned and quarentined everything. But the "save report" file isn't lit up, I can't click on it.

Here's hijackthis...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:53 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\common files\Adobe\Updater\AdobeUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167871446015
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3847 bytes

 

I meant for you to install AVG Antivirus, and I also meant to give you a link. I apologize

http://free.grisoft.com/doc/2

I'll have to see what I can dig up on AVG-AS not generating a report. You are the second user I've had report that. Don't worry about it right now, just get the antivirus installed ad run a full scan.

How's the computer running?

 

AVG Scan

Yeah, I can't seem to copy and paste the results so I just took a screen shot. Eh.. it messed up the keylogger I had put on my computer... but anyway yeah my computer is running fine it's just the internet keeps going out on it. Like I'd be on AIM and like 10 minutes later it says connection lost. I don't know how to fix it.

http://img398.imageshack.us/my.php?image=testresultsfh8.jpg

 

Internet Problems....

so anyway... i.. went to start, run, typed cmd.. ipconfig, i got my router IP and then i had two windows open.... i did ping google.com -t and ping 192.168.1.1 -t simultaneously until my internet went out again... so I'm guessing it might be a malware problem not a router problem.. its like my aim would be working but not my internet explorer ... yes just letting you know all this so perhaps we can find the problem together

 

Look around in AVGs options. You may be able to exclude programs such as the keylogger you want. Otherwise, you need to shop for an antivirus program that will allow you to exclude it.

Delete the following.

C:\SDFix
C:\Program Files\WinBudget
E:\Deckard

Empty the recycle bin.

Because of the number of infections, you need to clear your system restore points.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


Next time your connection drops out, open a command window and type the following command.

ipconfig /all >> c:\config.txt

If it does not produce C:\config.txt, do it again using e:\config.txt instead. Post the contents of that log.

 

Config.txt

Okay, I got my keylogger back. I deleted those thingies. I did the system restore point for today's date. I got the text for when my internet went out and saved it on my comp and here it is.



Windows IP Configuration



Host Name . . . . . . . . . . . . : anna

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.nj.comcast.net.



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : hsd1.nj.comcast.net.

Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-C0-A9-82-E1-49

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.102

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.87.64.146

68.87.75.194

Lease Obtained. . . . . . . . . . : Saturday, September 15, 2007 12:56:35 PM

Lease Expires . . . . . . . . . . : Sunday, September 16, 2007 12:56:35 PM