Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Missing Photos/Black Desktop/Phantom Use ...
Go to first new post Network, good; Internet, bad
Go to first new post Need Help
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Solved: Popups, other problems

Page 1 of 2 1 2
Reply  
Thread Tools
tutatut's Avatar
Junior Member with 11 posts.
  
Join Date: Jun 2008
Experience: Computer Illiterate
03-Jun-2008, 04:14 AM #1
Unhappy Solved: Popups, other problems
Hello, I have a problem with popups, and pages that are slow to load or (more likely) don't load at all. Google cannot load any search results (nor can any other search engines). It looks like it's loading for a few seconds but instead of a search results page a popup comes up. Also, some ads were appearing on top of images (though that particular problem hasn't reappeared for a full day now).
I had to register to the forum on another computer because this one would never load...

Help would be very much appreciated.
Here is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:59 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=020508 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [24551db1] rundll32.exe "C:\WINDOWS\system32\pytdqcde.dll",b
O4 - HKLM\..\Run: [BM27662e2d] Rundll32.exe "C:\WINDOWS\system32\rnblxywn.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {306BDCAE-B7BF-4966-82A8-DFFC9DC3B4A9} (ONSEDownLoad Control) - http://club.shinbiro.com/common/ONSEUpDown.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1205619002671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 5553 bytes
Register for free to hide this ad!
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
03-Jun-2008, 09:26 AM #2
Hello, and Welcome
I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.

RENAME HIJACKTHIS

There is some infection hiding in your log.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.
__________________
If the people from TSG have helped you, please consider making a donation Here
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
04-Jun-2008, 07:30 AM #3
Hi,

Disable AVG Anti-Spyware

Please disable AVG Anti-Spyware until the computer is clean.
  • Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
  • In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
  • If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
  • Reply 'no' and set it to 'inactive' for the duration of your cleanup.
Don't forget to re-enable it, when your computer is clean.

LimeWire
You have LimeWire, a P2P/file sharing programs installed on your computer. P2p apps like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/...rotection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

============================================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/comb...o-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

So please post back:
SDFix Results
Combofix Results
Fresh Hijackthis log.
__________________
If the people from TSG have helped you, please consider making a donation Here
tutatut's Avatar
Junior Member with 11 posts.
  
Join Date: Jun 2008
Experience: Computer Illiterate
05-Jun-2008, 03:09 AM #4
Hey, I couldn't install the Windows Recovery Console because I didn't have a Windows XP CD... :S

Here's the log after changing HijackThis to Scanner.exe:
(I've uninstalled LimeWire.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:45 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C5C556C0-2AB7-422E-936C-1D320E1F4E79} - C:\WINDOWS\system32\ddcAqPfd.dll
O2 - BHO: {6757edbd-cd6b-812b-9864-fc0105a9b91d} - {d19b9a50-10cf-4689-b218-b6dcdbde7576} - C:\WINDOWS\system32\ldwhpryi.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=020508 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BM27662e2d] Rundll32.exe "C:\WINDOWS\system32\rviwhajb.dll",s
O4 - HKLM\..\Run: [24551db1] rundll32.exe "C:\WINDOWS\system32\lhhrglcx.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {306BDCAE-B7BF-4966-82A8-DFFC9DC3B4A9} (ONSEDownLoad Control) - http://club.shinbiro.com/common/ONSEUpDown.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1205619002671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6062 bytes
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
05-Jun-2008, 08:35 AM #5
Hi,

You do not need the xp cd to install the recovery console...

RECOVERY CONSOLE

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System.

(In your case you select SP2)



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.


  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
__________________
If the people from TSG have helped you, please consider making a donation Here
tutatut's Avatar
Junior Member with 11 posts.
  
Join Date: Jun 2008
Experience: Computer Illiterate
05-Jun-2008, 09:45 PM #6
ComboFix Log:

ComboFix 08-06-04.3 - me 2008-06-05 17:11:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.212 [GMT -7:00]
Running from: C:\Documents and Settings\me\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\me\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM27662e2d.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dfPqAcdd.ini
C:\WINDOWS\system32\dfPqAcdd.ini2
C:\WINDOWS\system32\nqwayckv.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-05 17:17 . 2008-06-05 17:18 109,807 --a------ C:\WINDOWS\BM27662e2d.xml
2008-06-04 22:50 . 2008-06-04 22:50 95,232 --a------ C:\WINDOWS\system32\ldwhpryi.dll
2008-06-04 22:47 . 2008-06-05 17:18 2,874,235 ---hs---- C:\WINDOWS\system32\xclgrhhl.ini
2008-06-04 22:47 . 2008-06-04 22:47 82,432 --a------ C:\WINDOWS\system32\lhhrglcx.dll
2008-06-04 22:42 . 2008-06-04 22:42 91,136 --a------ C:\WINDOWS\system32\rviwhajb.dll
2008-06-04 15:59 . 2008-06-04 15:59 95,232 --a------ C:\WINDOWS\system32\qjkhouqg.dll
2008-06-04 15:56 . 2008-06-04 22:41 1,552,055 ---hs---- C:\WINDOWS\system32\lffvlsea.ini
2008-06-04 15:55 . 2008-06-04 15:55 91,136 --a------ C:\WINDOWS\system32\hhedrfcq.dll
2008-06-02 23:39 . 2008-06-02 23:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-02 22:02 . 2008-06-02 22:02 <DIR> d----c--- C:\kav
2008-06-02 16:52 . 2008-06-04 15:55 1,561,386 --ahs---- C:\WINDOWS\system32\edcqdtyp.ini
2008-06-02 15:46 . 2008-06-02 15:47 1,503,601 --ahs---- C:\WINDOWS\system32\bppyihvj.ini
2008-06-01 20:57 . 2008-06-01 20:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-01 13:42 . 2008-06-02 15:46 1,503,311 --ahs---- C:\WINDOWS\system32\jtpmwkft.ini
2008-06-01 13:39 . 2008-06-01 13:39 278,016 --a------ C:\WINDOWS\system32\ddcAqPfd.dll
2008-06-01 13:34 . 2008-06-01 13:34 41,984 --a------ C:\WINDOWS\mrofinu1535.exe
2008-05-29 16:26 . 2008-05-29 16:26 <DIR> d-------- C:\Program Files\portalgraphics
2008-05-24 21:36 . 2008-06-04 17:51 <DIR> d-------- C:\Program Files\Steam
2008-05-22 23:38 . 2008-06-01 22:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-22 23:38 . 2008-05-22 23:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-18 10:49 . 2008-05-18 10:49 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-18 09:46 . 2008-05-18 09:46 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-18 09:42 . 2008-05-18 09:42 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-11 16:07 . 2008-05-11 16:07 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-05-11 16:07 . 2008-05-11 16:55 <DIR> d-------- C:\Documents and Settings\me\Application Data\Audacity
2008-05-08 15:55 . 2008-05-08 15:55 <DIR> d-------- C:\WINDOWS\DSL
2008-05-08 15:55 . 2008-05-08 15:55 <DIR> d-------- C:\Program Files\Verizon
2008-05-07 17:02 . 2008-05-08 15:55 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 05:42 --------- d-----w C:\Documents and Settings\me\Application Data\LimeWire
2008-06-04 23:46 --------- d-----w C:\Program Files\Starcraft
2008-06-03 03:04 --------- d-----w C:\Program Files\Lx_cats
2008-06-01 01:27 --------- d-----w C:\Program Files\Cellosoft
2008-05-29 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-21 02:45 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-21 02:45 --------- d-----w C:\Program Files\Diablo II
2008-05-15 08:27 1,452,800 ----a-w C:\WINDOWS\system32\drivers\V3Engine.sys
2008-05-14 08:55 70,528 ----a-w C:\WINDOWS\system32\drivers\ahnsze.sys
2008-05-01 23:36 --------- d-----w C:\Documents and Settings\me\Application Data\Apple Computer
2008-04-19 22:17 --------- d-----w C:\Program Files\Tablet
2008-04-19 03:31 --------- d-----w C:\Program Files\QuickTime
2008-04-19 03:28 --------- d-----w C:\Program Files\Apple Software Update
2008-04-19 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-19 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 03:35 --------- d-----w C:\Program Files\Sun
2008-04-15 03:34 --------- d-----w C:\Program Files\Java
2008-04-15 02:21 --------- d-----w C:\Program Files\Common Files\Java
2008-04-08 16:16 --------- d-----w C:\Program Files\Sims2Pack Clean Installer
2008-04-07 22:30 --------- d-----w C:\Program Files\EA GAMES
2008-04-07 18:30 46,438 ----a-w C:\WINDOWS\system32\drivers\amonhknt.sys
2008-03-10 22:28 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-03-10 22:28 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-03-10 22:28 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-03-10 22:21 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-03-10 22:21 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-03-09 01:15 94,208 ----a-w C:\WINDOWS\ScUnin.exe
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d19b9a50-10cf-4689-b218-b6dcdbde7576}]
2008-06-04 22:50 95232 --a------ C:\WINDOWS\system32\ldwhpryi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F916160B-78A8-4496-899D-BD208A228062}]
2008-06-01 13:39 278016 --a------ C:\WINDOWS\system32\ddcAqPfd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 08:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 06:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 06:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 06:32 455168]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"AhnLab Session Process"="C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe" [2007-11-20 03:10 54862]
"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 11:43 196608]
"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 14:24 61440]
"Corel Painter Essentials 21a"="C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 17:08 69632]
"24551db1"="C:\WINDOWS\system32\lhhrglcx.dll" [2008-06-04 22:47 82432]
"BM27662e2d"="C:\WINDOWS\system32\rviwhajb.dll" [2008-06-04 22:42 91136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-04-19 15:17:54 114688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwur]
gebxwur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AhnLab Session Process]
--a------ 2007-11-20 03:10 54862 C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHNSD]
--a------ 2008-01-28 18:23 199368 C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 08:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
--a------ 2004-11-01 07:05 241664 C:\WINDOWS\system32\HncUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
C:\WINDOWS\system32\kxvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\steamapps\\masskill88\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\kav\\kav7\\setup.exe"=

R1 AMonTDnt;AMonTDnt;C:\WINDOWS\system32\Drivers\AMonTDnt.sys [2008-01-11 11:57]
R2 AhnLab Application Service;AhnLab Application Service;"C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe" [2007-09-09 17:25]
R2 AhnLab Guarantee Service;AhnLab Guarantee Service;"C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe" [2007-11-22 10:56]
R2 AhnLab Information Service;AhnLab Information Service;"C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe" [2007-09-09 17:26]
R2 AhnLab Log Service;AhnLab Log Service;"C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe" [2007-08-10 10:55]
R2 AhnLab Task Scheduler;AhnLab Task Scheduler;"C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe" [2008-01-28 18:23]
R2 AMonHKnt;AMonHKnt;C:\WINDOWS\system32\Drivers\AMonHKnt.sys [2008-04-07 11:30]
R3 AhnFlt2k;AhnFlt2k;C:\WINDOWS\system32\Drivers\AhnFlt2k.sys [2008-01-09 11:53]
R3 AhnRec2k;AhnRec2k;C:\WINDOWS\system32\Drivers\AhnRec2k.sys [2007-03-20 13:08]
R3 AhnRghNt;AhnRghNt;C:\WINDOWS\system32\Drivers\AhnRghNt.sys [2008-01-09 11:54]
R3 AhnSZE;AhnSZE;C:\WINDOWS\system32\drivers\AhnSZE.sys [2008-05-14 01:55]
R3 ASZFltNt;ASZFltNt;C:\PROGRA~1\AhnLab\V3IS2007\ASZFltNt.sys [2008-01-09 12:10]
R3 CdmDrvNt;CdmDrvNt;C:\WINDOWS\system32\Drivers\CdmDrvNt.sys [2007-10-01 10:39]
R3 ISFWEnt;ISFWEnt;C:\Program Files\AhnLab\V3IS2007\ISFWEnt.sys [2008-01-09 12:10]
R3 ISIPSEnt;ISIPSEnt;C:\Program Files\AhnLab\V3IS2007\ISIPSEnt.sys [2008-02-18 23:38]
R3 ISPIBEnt;ISPIBEnt;C:\Program Files\AhnLab\V3IS2007\ISPIBEnt.sys [2007-10-05 11:42]
R3 ISPrxEnt;ISPrxEnt;C:\Program Files\AhnLab\V3IS2007\ISPrxEnt.sys [2007-10-03 23:39]
R3 ISTrkEnt;ISTrkEnt;C:\Program Files\AhnLab\V3IS2007\ISTrkEnt.sys [2007-03-20 13:28]
R3 v3engine;v3engine;C:\WINDOWS\system32\drivers\v3engine.sys [2008-05-15 01:27]
R3 V3Flt2K;V3Flt2K;C:\PROGRA~1\AhnLab\V3IS2007\V3Flt2K.sys [2008-02-18 23:39]
R3 V3IFt2K;V3IFt2K;C:\PROGRA~1\AhnLab\V3IS2007\V3IFt2K.sys [2008-01-09 12:11]
S3 ArfMonNt;ArfMonNt;C:\Program Files\AhnLab\V3IS2007\ArfMonNt.sys [2008-02-18 23:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 03:28:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 17:17:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AhnLab\V3IS2007\msproxy.ahn
C:\WINDOWS\system32\conime.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\AhnLab\ACA\acasp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-06-05 17:20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 00:20:32
ComboFix2.txt 2008-06-05 05:20:27
ComboFix3.txt 2008-02-11 04:17:05

Pre-Run: 15,558,443,008 bytes free
Post-Run: 15,541,940,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

212











HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:39 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

O2 - BHO: (no name) - {3B264D45-2515-4A3D-A27E-22F69CEFECD5} - C:\WINDOWS\system32\ddcAqPfd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {eb2c86e6-4ce2-408a-6524-c92839df56ab} - {ba65fd93-829c-4256-a804-2ec46e68c2be} - C:\WINDOWS\system32\twtrrlor.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=020508 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BM27662e2d] Rundll32.exe "C:\WINDOWS\system32\btirosfv.dll",s
O4 - HKLM\..\Run: [24551db1] rundll32.exe "C:\WINDOWS\system32\sfttruio.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {306BDCAE-B7BF-4966-82A8-DFFC9DC3B4A9} (ONSEDownLoad Control) - http://club.shinbiro.com/common/ONSEUpDown.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1205619002671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6202 bytes




You have no idea how long it took to copy and paste these and post. Everything froze up the first try.
Also, I couldn't get to the link (Microsoft website) that you provided at first. The same thing that happened with google happened; nothing would ever load. I ended up using a proxy site, which worked better.
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
06-Jun-2008, 04:53 PM #7
Hi,

Remove bad HijackThis entries
  • Run HijackThis
  • Click on do a system scan only
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: {eb2c86e6-4ce2-408a-6524-c92839df56ab} - {ba65fd93-829c-4256-a804-2ec46e68c2be} - C:\WINDOWS\system32\twtrrlor.dll
    O2 - BHO: (no name) - {3B264D45-2515-4A3D-A27E-22F69CEFECD5} - C:\WINDOWS\system32\ddcAqPfd.dll
    O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

============================

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


============================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

So please post back:
Sdfix log
Fresh Hijackthis log.

Thanks
__________________
If the people from TSG have helped you, please consider making a donation Here
tutatut's Avatar
Junior Member with 11 posts.
  
Join Date: Jun 2008
Experience: Computer Illiterate
06-Jun-2008, 11:01 PM #8
O2 - BHO: {eb2c86e6-4ce2-408a-6524-c92839df56ab} - {ba65fd93-829c-4256-a804-2ec46e68c2be} - C:\WINDOWS\system32\twtrrlor.dll
Does not exist
O2 - BHO: (no name) - {3B264D45-2515-4A3D-A27E-22F69CEFECD5} - C:\WINDOWS\system32\ddcAqPfd.dll
There's one called O2 - BHO: (no name) - {BDA845E5-1B29-4F43-BE87-03C9AF566B0A} - C:\WINDOWS\system32\ddcAqPfd.dll, but it doesn't delete.
O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing
Deleted

Report.txt

SDFix: Version 1.187
Run by me on 06/06/2008 Fri at 06:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\me\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\mrofinu1535.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 18:51:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"\쎯??(?T?r?u?e?T?y?p?e?)?????"="HDOTUM.TTF"
"\???(?T?r?u?e?T?y?p?e?)?????"="HBATANG.TTF"
"\????(?T?r?u?e?T?y?p?e?)???????"="FZSong_Super.TTF"
"\?S???(?T?r?u?e?T?y?p?e?)?????"="UNI_HSR.TTF"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory. exe:*:Enabled:MapleStory"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Steam\\steamapps\\masskill88\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\masskill88\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersk y Anti-Virus 7.0 Setup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\me\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!






HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:34 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

O2 - BHO: (no name) - {70D95526-B5B9-44AA-B533-5491CEF83E3B} - C:\WINDOWS\system32\ddcAqPfd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {8d8d3cb8-f771-bfbb-8e44-4aa2951fce8c} - {c8ecf159-2aa4-44e8-bbfb-177f8bc3d8d8} - C:\WINDOWS\system32\gxxjvhmr.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=020508 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [24551db1] rundll32.exe "C:\WINDOWS\system32\hihdnoyt.dll",b
O4 - HKLM\..\Run: [BM27662e2d] Rundll32.exe "C:\WINDOWS\system32\ghjmlnex.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {306BDCAE-B7BF-4966-82A8-DFFC9DC3B4A9} (ONSEDownLoad Control) - http://club.shinbiro.com/common/ONSEUpDown.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1205619002671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6017 bytes
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
07-Jun-2008, 08:24 AM #9
Hi,

VUNDOFIX

Download Vundofix from here
  • Double-click VundoFix.exe to run it.
  • When VundoFix opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note:It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*If VundoFix gives an runtime error on startup you are most likely missing the file: comdlg32.ocx A new copy and instructions on where to put it can be found HERE

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

So please post back:
Vundofix.txt
Makwarebytes' log
Fresh HJT log

Thanks.
__________________
If the people from TSG have helped you, please consider making a donation Here
tutatut's Avatar
Junior Member with 11 posts.
  
Join Date: Jun 2008
Experience: Computer Illiterate
08-Jun-2008, 02:48 AM #10
The Vundofix link doesn't work...


Malwarebytes' Log (Ran 2 times, one after reboot):

Malwarebytes' Anti-Malware 1.15
Database version: 839

10:11:24 PM 6/7/2008
mbam-log-6-7-2008 (22-11-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 102075
Time elapsed: 30 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ddcAqPfd.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\mnnirhhr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{749e8cb4-c192-4efd-bc57-233ace8a1a64} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{749e8cb4-c192-4efd-bc57-233ace8a1a64} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24551db1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM27662e2d (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcaqpfd -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcaqpfd -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\nui4 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ddcAqPfd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dfPqAcdd.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dfPqAcdd.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hihdnoyt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tyondhih.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mnnirhhr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rhhrinnm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\1V1ine\Local Settings\Temporary Internet Files\Content.IE5\05QNCTEJ\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\crjybdib.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGaYPjh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mdpsmhgw.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nqwayckv.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP2\A0000014.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP2\A0000015.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP2\A0000017.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP3\A0000118.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP4\A0000142.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP5\A0000204.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP6\A0001454.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D60CD642-939E-4FBB-9A94-8EE109AAE7B2}\RP6\A0001461.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bkciyloi.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jvafvasq.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnyxeqbm.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcnnxaeo.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

----------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.15
Database version: 839

10:43:51 PM 6/7/2008
mbam-log-6-7-2008 (22-43-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 101509
Time elapsed: 23 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{749e8cb4-c192-4efd-bc57-233ace8a1a64} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{749e8cb4-c192-4efd-bc57-233ace8a1a64} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM27662e2d (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcaqpfd -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcaqpfd -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ddcAqPfd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dfPqAcdd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:15 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {f1e90774-a861-8fd8-6814-10f5d26c798f} - {f897c62d-5f01-4186-8df8-168a47709e1f} - C:\WINDOWS\system32\qyygcmdk.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=020508 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {306BDCAE-B7BF-4966-82A8-DFFC9DC3B4A9} (ONSEDownLoad Control) - http://club.shinbiro.com/common/ONSEUpDown.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1205619002671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 5819 bytes











Google is working now, and no popups so far. Thanks!
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
08-Jun-2008, 07:41 AM #11
Thats website seems to be down Please try download it from here and follow the same instrcutions I posted.

http://www.majorgeeks.com/download4954.html
tutatut's Avatar
Junior Member with 11 posts.
  
Join Date: Jun 2008
Experience: Computer Illiterate
08-Jun-2008, 01:34 PM #12
Run-time error '339':
Component 'comdlg32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid


Can't run Vundofix...
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
08-Jun-2008, 01:42 PM #13
Quote:
*If VundoFix gives an runtime error on startup you are most likely missing the file: comdlg32.ocx A new copy and instructions on where to put it can be found HERE
tutatut's Avatar
Junior Member with 11 posts.
  
Join Date: Jun 2008
Experience: Computer Illiterate
08-Jun-2008, 08:07 PM #14
Ran Vundofix; none found



VundoFix V7.0.0

Scan started at 3:43:16 PM 6/8/2008

Listing files found while scanning....

No infected files were found.
andyspeake's Avatar
Computer Specs
Senior Member with 1,539 posts.
  
Join Date: May 2007
Location: Glasgow,Scotland
Experience: Advanced
09-Jun-2008, 08:22 AM #15
Please disable all realtime protection and security progammes.
Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. You can re-enable any security programmes you may have disabled.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
If the people from TSG have helped you, please consider making a donation Here
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 2 1 2

Tags
popups, slow

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 12:10 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.