Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)  (Read 35386 times)

0 Members and 1 Guest are viewing this topic.

green tea

    Topic Starter


    Intermediate

    Thanked: 1
    I have no clue where my XP cd is at this time. It's been a good couple of years since I've seen it.

    And my cd drive/dvd drive have not been working for a while as well. Only way I can get stuff into my pc is d/l through the internet or via usb.

    I know doing system restore is dangerous since all the virus would still be there, but would it bring this application back?

    green tea

      Topic Starter


      Intermediate

      Thanked: 1
      Only found the 4-disc Recovery CD that came with my machine. I think XP was already pre-installed on the computer when we got it.

      Is there another way I can get the correct version? Would it be possible for you to post a d/l link for it and then I d/l and add it to the System folders?

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Quote
      Is there another way I can get the correct version? Would it be possible for you to post a d/l link for it and then I d/l and add it to the System folders?

      That's illegal.

      Try to find the install disk, or use the recovery CD's and reinstall. Stop downloading torrents. I can't do much good if you are just going to keep making the same mistakes over and over.

      green tea

        Topic Starter


        Intermediate

        Thanked: 1
        I honestly didn't think torrents could be dangerous if I got them from reliable sites. I've been using them for many years and it's only this year that the problems happened. I know, it's really stupid..

        Would you still be able to help one more time (Hopefully)?? Can I use the recovery cd and replace that one system file, or does using the Recovery cd mean everything I have gets wiped out?
        ..

        I went into the system32 folder to see if the Rundll32.exe was in there.. it is but the icon is a blank sheet of paper. The other exe all look like windows.
        « Last Edit: April 27, 2008, 02:10:30 PM by green tea »

        green tea

          Topic Starter


          Intermediate

          Thanked: 1
          Update:

          Still not having any luck when I double click a program.. the "Open with" window still pops up. But I decided to test it, and did "Browse" and was able to open up the programs by going to Program file folder, and double clicking on the "exe" files from there.

          I could open up SAS again, but cannot access the logs. I was able to run MBAM though, and here is the log. I can only paste it, because when I try to do Save As, Notepad crashes.


          ...................

          Malwarebytes' Anti-Malware 1.11
          Database version: 660

          Scan type: Full Scan (C:\|)
          Objects scanned: 112995
          Time elapsed: 50 minute(s), 29 second(s)

          Memory Processes Infected: 0
          Memory Modules Infected: 2
          Registry Keys Infected: 21
          Registry Values Infected: 6
          Registry Data Items Infected: 2
          Folders Infected: 6
          Files Infected: 54

          Memory Processes Infected:
          (No malicious items detected)

          Memory Modules Infected:
          C:\WINDOWS\system32\jkkKcDvt.dll (Trojan.Vundo) -> Unloaded module successfully.
          C:\WINDOWS\system32\rqRJCUon.dll (Trojan.Vundo) -> Unloaded module successfully.

          Registry Keys Infected:
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0bd6303c-42be-4a7c-8eaf-1cb19d7eeff4} (Trojan.Vundo) -> Delete on reboot.
          HKEY_CLASSES_ROOT\CLSID\{0bd6303c-42be-4a7c-8eaf-1cb19d7eeff4} (Trojan.Vundo) -> Delete on reboot.
          HKEY_CLASSES_ROOT\CLSID\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
          HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
          HKEY_CLASSES_ROOT\CLSID\{a69f6966-e4f3-4290-8301-cc9342894fe5} (Trojan.Vundo) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_CLASSES_ROOT\CLSID\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjcuon (Trojan.Vundo) -> Delete on reboot.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

          Registry Values Infected:
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy (Trojan.BHO) -> Quarantined and deleted successfully.
          HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1f8c01e5 (Trojan.Agent) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

          Registry Data Items Infected:
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkcdvt -> Delete on reboot.
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkcdvt  -> Delete on reboot.

          Folders Infected:
          C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\b1 (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\Program Files\JavaCore (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\Program Files\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

          Files Infected:
          C:\WINDOWS\system32\ccvdxtdx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\xdtxdvcc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\jkkKcDvt.dll (Trojan.Vundo) -> Delete on reboot.
          C:\WINDOWS\system32\tvDcKkkj.ini (Trojan.Vundo) -> Delete on reboot.
          C:\WINDOWS\system32\tvDcKkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\wuxslnhr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\rhnlsxuw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\sockots64.dll (Trojan.BHO) -> Quarantined and deleted successfully.
          C:\Program Files\CPV\CPV8.dll (Adware.Bestrevenue) -> Quarantined and deleted successfully.
          C:\Program Files\JavaCore\JavaCore.exe (Trojan.Insider) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000070.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000071.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000073.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000078.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000079.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000095.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000096.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000099.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000100.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001182.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001184.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001185.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001186.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001187.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
          C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001190.vbs (Malware.Trace) -> Quarantined and deleted successfully.
          C:\WINDOWS\b116.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\WINDOWS\b138.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\WINDOWS\b152.exe (Trojan.Insider) -> Quarantined and deleted successfully.
          C:\WINDOWS\b155.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\b157.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\lcntmkdn.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\rwwnw64d.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\vptyufqy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\drivers\nvxbarr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\n3\predircom3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\wTMP\idevdpll.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
          C:\Program Files\JavaCore\UnInstall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
          C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\config\systemprofile\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\qrixtvyx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\000070.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\WINDOWS\mrofinu1000106.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\rqRJCUon.dll (Trojan.Vundo) -> Delete on reboot.
          C:\WINDOWS\b156.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Quarantined and deleted successfully.
          C:\Documents and Settings\User\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.


          green tea

            Topic Starter


            Intermediate

            Thanked: 1
            OMG OMG!!
            After running MBAM and rebooting, I can now double click on any application and it will load. No "open with" window as of now! I can also access the Add/Remove program section again.

            Evilfantasy, hope you're still on board with helping me again (and everyone else too). Should I continue with HJT?
            ..........

            Here is the SAS log. This was done on 4/26 but due to the rundll32.exe problem, I couldn't access it until now.

            SUPERAntiSpyware Scan Log
            http://www.superantispyware.com

            Generated 04/26/2008 at 12:32 PM

            Application Version : 3.9.1008

            Core Rules Database Version : 3376
            Trace Rules Database Version: 1370

            Scan type       : Complete Scan
            Total Scan Time : 01:46:06

            Memory items scanned      : 199
            Memory threats detected   : 2
            Registry items scanned    : 6117
            Registry threats detected : 50
            File items scanned        : 88434
            File threats detected     : 20

            Adware.Vundo Variant/Resident
               C:\WINDOWS\SYSTEM32\JKKKCDVT.DLL
               C:\WINDOWS\SYSTEM32\JKKKCDVT.DLL

            Worm.Rbot-LD
               C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
               C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
               [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
               [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
               [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
               [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
               HKLM\System\ControlSet005\Services\Schedule
               HKLM\System\ControlSet006\Services\Schedule
               HKLM\System\CurrentControlSet\Services\Schedule
               C:\WINDOWS\Prefetch\SPOOLS.EXE-1394AE12.pf

            Adware.Vundo-Variant
               HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2797E8D2-3473-4A53-946C-C090C02A72CA}
               HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}
               HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}\InprocServer32
               HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}\InprocServer32#ThreadingModel

            Unclassified.Unknown Origin
               HKLM\System\ControlSet005\Services\cmdService
               C:\WINDOWS\VXNLCG\COMMAND.EXE
               HKLM\System\ControlSet006\Services\cmdService
               HKLM\System\CurrentControlSet\Services\cmdService
               C:\WINDOWS\Prefetch\COMMAND.EXE-14E8AF63.pf

            Adware.WebHancer
               HKLM\Software\WebHancer
               HKLM\Software\WebHancer#BaseDir
               HKLM\Software\WebHancer\CC
               HKLM\Software\WebHancer\CC#DistTag
               HKLM\Software\WebHancer\CC#id

            Adware.ClickSpring
               HKLM\Software\ClickSpring
               HKLM\Software\ClickSpring#UBWKR

            Trojan.cmdService
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
               HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
               HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
               HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

            Trojan.ZenoSearch
               C:\WINDOWS\system32\msnav32.ax

            Adware.Adservs
               C:\WINDOWS\system32\atmtd.dll
               C:\WINDOWS\system32\atmtd.dll._
               C:\WINDOWS\SYSTEM32\B1\CBWA3UI.EXE
               C:\WINDOWS\VXNLCG\ASAPPSRV.DLL
               C:\WINDOWS\Prefetch\CBWA3UI.EXE-14E989A8.pf

            Trojan.NetMon/DNSChange
               C:\Program Files\Network Monitor\netmon.exe
               C:\Program Files\Network Monitor
               C:\WINDOWS\Prefetch\NETMON.EXE-09C9CC43.pf

            Adware.Tracking Cookie
               C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt

            Trojan.Downloader-Gen/Win
               C:\WINDOWS\MROFINU72.EXE

            Adware.ClickSpring/Yazzle
               C:\WINDOWS\PREFETCH\YAZZLE1552OINADMIN.EXE-01D813FF.PF

            Adware.Vundo-Variant/Small-A
               C:\WINDOWS\SYSTEM32\CYNFGQWG.DLL

            Trojan.Unknown Origin
               C:\WINDOWS\UNINSTALL_NMON.VBS
               C:\WINDOWS\VXNLCG\PRH5W0.VBS

            green tea

              Topic Starter


              Intermediate

              Thanked: 1
              Here's the HJT Log

              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 12:30:29 AM, on 2008-04-29
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
              Boot mode: Safe mode with network support

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\Explorer.EXE
              C:\WINDOWS\system32\ctfmon.exe
              C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
              C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
              O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
              O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
              O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
              O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
              O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
              O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
              O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
              O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
              O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
              O4 - HKLM\..\Run: [1cbf3279] rundll32.exe "C:\WINDOWS\system32\ccvdxtdx.dll",b
              O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
              O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [Vcsron] C:\Program Files\Vcsron\Vcsron.exe
              O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
              O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
              O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
              O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
              O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
              O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
              O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
              O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
              O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
              O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
              O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199778064781
              O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
              O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
              O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
              O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
              O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
              O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
              O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
              O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
              O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
              O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              Download SDFix.exe and save it to your Desktop.

              Double click SDFix.exe and it will extract the files to %systemdrive%
              (Drive that contains the Windows Directory, typically C:\SDFix)

              Please then reboot your computer in Safe Mode by doing the following:

              • Restart your computer
              • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
              • Instead of Windows loading as normal, the Advanced Options Menu should appear;
              • Select the first option, to run Windows in Safe Mode, then press Enter.
              • Choose your usual account.
              • Open the extracted SDFix folder and double click RunThis.bat to start the script.
              • Type Y to begin the cleanup process.
              • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
              • Press any Key and it will restart the PC.
              • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
              • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
                (Report.txt will also be copied to Clipboard).
              • Finally add the contents of the Report.txt in your next post.

              green tea

                Topic Starter


                Intermediate

                Thanked: 1
                Same situation with SDfix as before. It ran completely and then prompted me to reboot. However, after rebooting in safe mode and logging in, the desktop icons loaded automatically. No Fixtools or anything from SDfix popped up.

                Here's what my report.txt says
                ...

                SDFix: Version 1.177
                Run by User on 2008-04-29 at 06:19 PM

                Microsoft Windows XP [Version 5.1.2600]
                Running From: C:\SDFix

                Checking Services :

                Name :
                MRV47

                Path :
                \??\C:\WINDOWS\System32\drivers\Mrv47.sys

                MRV47 - Deleted



                Restoring Windows Registry Values
                Restoring Windows Default Hosts File


                green tea

                  Topic Starter


                  Intermediate

                  Thanked: 1
                  Just noticed these in the Add/Remove list:

                  vcsron
                  csvnro
                  svconr

                  I first saw "vcsron", deleted that. But after I went back to check the list, "csvnro" appeared in it's place. Deleted that, and then the next one appeared. I hope more doesn't show up.
                  « Last Edit: April 29, 2008, 10:22:35 PM by green tea »

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Calm like a bomb
                  • Thanked: 489
                  • Experience: Familiar
                  • OS: Windows 10
                  We need to try combofix.

                  Please download Combofix by sUBs from one of the below links.
                  (Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.
                  • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
                  • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
                    • Click this link to see a list of security programs that should be disabled and how to disable them.
                    • If yours is not listed and you don't know how to disable it, please ask.
                  • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
                  • Double click combofix.exe & follow the prompts.
                    • Choose Yes to accept the Disclaimers.[
                    • When finished, it will produce a log for you.
                    • Post that log in your next reply.
                    Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
                    • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
                    • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

                    green tea

                      Topic Starter


                      Intermediate

                      Thanked: 1
                      Just got home, and finished my Combofix. It didn't reboot to normal mode like the first time though. It was rebooting and then after the Window XP load screen, the monitor just said no signal, and then the pc shut down. Then it rebooted, and I went to Safemode with networking.

                      ComboFix 08-04-29.5 - User 2008-04-30 18:14:31.8 - NTFSx86 NETWORK
                      Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.260 [GMT -7:00]
                      Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

                      WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
                      .

                      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                      .

                      C:\Documents and Settings\User\Application Data\ASKS~1
                      C:\Temp\1cb
                      C:\temp\tn3
                      C:\WINDOWS\cookies.ini
                      C:\WINDOWS\megavid.cdt
                      C:\WINDOWS\muotr.so
                      C:\WINDOWS\pskt.ini
                      C:\WINDOWS\system32\cxhfywlk.dll
                      C:\WINDOWS\system32\ewdlftut.dll
                      C:\WINDOWS\system32\gwqgfnyc.ini
                      C:\WINDOWS\system32\hiqvdcgt.dll
                      C:\WINDOWS\system32\hpyqchfc.dll
                      C:\WINDOWS\system32\jkkKcDvt.dll
                      C:\WINDOWS\system32\kjbblsww.dll
                      C:\WINDOWS\system32\lelptvxx.dll
                      C:\WINDOWS\system32\n3
                      C:\WINDOWS\system32\oyxyaglt.dll
                      C:\WINDOWS\system32\rqRJCUon.dll
                      C:\WINDOWS\system32\tutfldwe.ini
                      C:\WINDOWS\system32\tvDcKkkj.ini
                      C:\WINDOWS\system32\tvDcKkkj.ini2
                      C:\WINDOWS\system32\wgpaftim.dll
                      C:\WINDOWS\system32\wnbqxspc.dll
                      C:\WINDOWS\system32\wnvgthhx.dll
                      C:\WINDOWS\system32\wwslbbjk.ini

                      .
                      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
                      .

                      -------\Legacy_MSSECURITY1.209.4
                      -------\Service_MsSecurity1.209.4


                      (((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
                      .

                      2008-04-29 21:17 . 2008-04-29 21:17   <DIR>   d--------   C:\Program Files\Vcsron
                      2008-04-29 18:12 . 2008-04-30 18:16   <DIR>   d--------   C:\SDFix
                      2008-04-26 10:26 . 2002-08-29 05:00   4,224   --a------   C:\WINDOWS\system32\beep.sys
                      2008-04-26 10:26 . 2008-04-26 10:35   578   --a------   C:\WINDOWS\index.html
                      2008-04-26 10:06 . 2008-04-30 10:10   109,738   --a------   C:\WINDOWS\BM1f8c01e5.xml
                      2008-04-26 10:00 . 2008-04-26 10:00   861   --a------   C:\WINDOWS\system32\winpfz33.sys
                      2008-04-26 09:59 . 2008-04-26 12:33   <DIR>   d--hs----   C:\WINDOWS\VXNlcg
                      2008-04-26 09:59 . 2008-04-29 00:06   <DIR>   d--------   C:\WINDOWS\system32\wTMP
                      2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\WINDOWS\system32\pnVes06
                      2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\Temp\zvebs14
                      2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\Temp\kvebs14
                      2008-04-26 09:59 . 2008-04-26 09:59   400,585   --a------   C:\WINDOWS\system32\g4.exe
                      2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Program Files\BillP Studios
                      2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Documents and Settings\User\Application Data\WinPatrol
                      2008-04-22 21:06 . 2008-04-22 21:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
                      2008-04-22 21:06 . 2008-04-22 21:06   1,409   --a------   C:\WINDOWS\QTFont.for
                      2008-04-22 20:22 . 2008-04-22 20:22   <DIR>   d--------   C:\Program Files\CleanUp!
                      2008-04-20 10:01 . 2008-04-20 10:02   <DIR>   d--------   C:\WINDOWS\ERUNT
                      2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
                      2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Malwarebytes
                      2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes

                      .
                      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                      .
                      2008-04-29 07:24   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
                      2003-03-12 00:39   32   --sha-w   C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
                      2003-03-12 00:39   32   --sha-w   C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
                      .

                      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                      .
                      .
                      *Note* empty entries & legit default entries are not shown
                      REGEDIT4

                      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                      "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
                      "Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]

                      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                      "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
                      "nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
                      "Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
                      "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
                      "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
                      "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
                      "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]
                      "Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

                      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
                      "GrpConv"="grpconv -o" []

                      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
                      Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
                      InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
                      InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]

                      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
                      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

                      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                      C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

                      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCUon]
                      rqRJCUon.dll

                      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
                      "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
                      "vidc.3ivx"= 3ivxVfWCodec.dll
                      "vidc.3iv2"= 3ivxVfWCodec.dll
                      "msacm.divxa32"= divxa32.acm
                      "VIDC.HFYU"= huffyuv.dll
                      "VIDC.i263"= i263_32.drv
                      "msacm.imc"= imc32.acm
                      "VIDC.VP31"= vp31vfw.dll

                      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
                      "DisableMonitoring"=dword:00000001

                      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                      "C:\\Program Files\\iTunes\\iTunes.exe"=
                      "C:\\Program Files\\BitComet\\BitComet.exe"=

                      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                      "7467:TCP"= 7467:TCP:BitComet 7467 TCP
                      "7467:UDP"= 7467:UDP:BitComet 7467 UDP

                      R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
                      R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
                      S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
                      S2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
                      S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
                      S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
                      S2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
                      S2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
                      S2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
                      S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
                      S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
                      S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
                      S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]

                      *Newly Created Service* - CXTUNER
                      *Newly Created Service* - CXXBAR
                      .
                      Contents of the 'Scheduled Tasks' folder
                      "2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
                      - C:\Program Files\AntiSpywareApp\AntiSpyware .ex
                      - C:\Program Files\AntiSpywareApp
                      "2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
                      - C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
                      "2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
                      - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
                      .
                      **************************************************************************

                      catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                      Rootkit scan 2008-04-30 18:21:54
                      Windows 5.1.2600 Service Pack 2 NTFS

                      scanning hidden processes ...

                      scanning hidden autostart entries ...

                      scanning hidden files ...


                      C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
                      C:\WINDOWS\system32\clb.dll 10752 bytes executable
                      C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
                      C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
                      C:\WINDOWS\system32\clbcfg.dat 1695 bytes
                      C:\WINDOWS\system32\clbdll.dll 29184 bytes executable

                      scan completed successfully
                      hidden files: 6

                      **************************************************************************

                      [HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
                      "imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
                      .
                      ------------------------ Other Running Processes ------------------------
                      .
                      C:\WINDOWS\system32\savedump.exe
                      .
                      **************************************************************************
                      .
                      Completion time: 2008-04-30 18:26:07 - machine was rebooted
                      ComboFix-quarantined-files.txt  2008-05-01 01:26:04

                      Pre-Run: 4,014,170,112 bytes free
                      Post-Run: 4,019,470,336 bytes free

                      167   --- E O F ---   2008-04-09 10:04:51

                      green tea

                        Topic Starter


                        Intermediate

                        Thanked: 1
                        I just tried saving my Combofix log but when I when to click "Save as", notepad automatically closed by itself.

                        I know the CFScript step is next, but since I can't save the notepad files on my own, can you help save a CFScript.txt for me, and then attach it so I can d/l the entire file. As long as I don't open up notepad and try and save it, I'm ok.

                        Also, vcsron is still on my Add/Remove list.

                        evilfantasy

                        • Malware Removal Specialist
                        • Moderator


                        • Genius
                        • Calm like a bomb
                        • Thanked: 489
                        • Experience: Familiar
                        • OS: Windows 10
                        cfscript log attached.

                        Drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



                        ComboFix will begin to execute, just follow the prompts.
                        After reboot (in case it asks to reboot), it will produce a log for you.
                        Post that log (Combofix.txt) in your next reply.

                        Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

                        ----------

                        Next:

                        Go to Start > Control Panel > Internet Options
                        In the General tab, Temporary Internet Files, click:Delete Files
                        When prompted, check:Delete all offline content
                        You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
                        Click OK

                        Then, go to Start > Run and enter: cleanmgr
                        Select the drive to clean: C:\
                        Check the following boxes and then press OK to remove:
                        • Temporary Files
                        • Temporary Internet Files
                        • RecycleBin
                        Agree to the prompt to perform the action...


                        Next:

                        Please download    ATF Cleaner by Atribuneand save it to your Desktop
                        Follow the instructions for the browser you use.
                        Read the instructions about the cookies. Delete what you do not need.

                        Double click ATF-Cleaner.exe to run the program.
                        Check the boxes to the left of:
                        • Windows Temp
                        • Current User Temp
                        • All Users Temp
                        • Temporary Internet Files
                        • Java Cache
                        The rest are optional - if you want to remove everything, check Select All
                        Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
                        If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
                        When you have finished, click on the Exit button in the Main menu.
                        It is important to restart the computer after running ATF Cleaner.

                        Next post
                        Combofix log
                        Fresh Hijackthis log




                        [recovering space - attachment deleted by admin]

                        green tea

                          Topic Starter


                          Intermediate

                          Thanked: 1
                          ComboFix 08-04-29.5 - User 2008-04-30 19:26:35.9 - NTFSx86 NETWORK
                          Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.326 [GMT -7:00]
                          Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
                          Command switches used :: C:\Documents and Settings\User\Desktop\cfscript.txt

                          WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

                          FILE ::
                          C:\WINDOWS\system32\beep.sys
                          C:\WINDOWS\system32\g4.exe
                          C:\WINDOWS\system32\winpfz33.sys
                          .

                          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                          .

                          C:\Temp\kvebs14
                          C:\Temp\kvebs14\zvKarru.log
                          C:\Temp\zvebs14
                          C:\WINDOWS\system32\beep.sys
                          C:\WINDOWS\system32\g4.exe
                          C:\WINDOWS\system32\pnVes06
                          C:\WINDOWS\system32\pnVes06\pnVes061083.exe
                          C:\WINDOWS\system32\winpfz33.sys
                          C:\WINDOWS\system32\wTMP
                          C:\WINDOWS\VXNlcg

                          .
                          (((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
                          .

                          2008-04-29 21:17 . 2008-04-29 21:17   <DIR>   d--------   C:\Program Files\Vcsron
                          2008-04-29 18:12 . 2008-04-30 18:16   <DIR>   d--------   C:\SDFix
                          2008-04-26 10:26 . 2008-04-26 10:35   578   --a------   C:\WINDOWS\index.html
                          2008-04-26 10:06 . 2008-04-30 10:10   109,738   --a------   C:\WINDOWS\BM1f8c01e5.xml
                          2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Program Files\BillP Studios
                          2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Documents and Settings\User\Application Data\WinPatrol
                          2008-04-22 21:06 . 2008-04-22 21:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
                          2008-04-22 21:06 . 2008-04-22 21:06   1,409   --a------   C:\WINDOWS\QTFont.for
                          2008-04-22 20:22 . 2008-04-22 20:22   <DIR>   d--------   C:\Program Files\CleanUp!
                          2008-04-20 10:01 . 2008-04-20 10:02   <DIR>   d--------   C:\WINDOWS\ERUNT
                          2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
                          2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Malwarebytes
                          2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes

                          .
                          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                          .
                          2008-04-29 07:24   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
                          2003-03-12 00:39   32   --sha-w   C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
                          2003-03-12 00:39   32   --sha-w   C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
                          .

                          (((((((((((((((((((((((((((((   [email protected]_18.25.51.17   )))))))))))))))))))))))))))))))))))))))))
                          .
                          - 2008-05-01 01:21:23   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
                          + 2008-05-01 02:28:34   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
                          - 2008-05-01 01:21:26   16,384   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
                          + 2008-05-01 02:28:35   16,384   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
                          - 2008-05-01 01:21:26   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
                          + 2008-05-01 02:28:35   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
                          - 2008-05-01 01:21:26   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
                          + 2008-05-01 02:28:35   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
                          .
                          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                          .
                          .
                          *Note* empty entries & legit default entries are not shown
                          REGEDIT4

                          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                          "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
                          "Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]

                          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                          "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
                          "nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
                          "Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
                          "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
                          "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
                          "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
                          "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]

                          C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
                          Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
                          InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
                          InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]

                          [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
                          "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

                          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                          C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

                          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
                          "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
                          "vidc.3ivx"= 3ivxVfWCodec.dll
                          "vidc.3iv2"= 3ivxVfWCodec.dll
                          "msacm.divxa32"= divxa32.acm
                          "VIDC.HFYU"= huffyuv.dll
                          "VIDC.i263"= i263_32.drv
                          "msacm.imc"= imc32.acm
                          "VIDC.VP31"= vp31vfw.dll

                          [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
                          Authentication Packages   REG_SZ            msv1_0

                          [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
                          SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

                          [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
                          "DisableMonitoring"=dword:00000001

                          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                          "C:\\Program Files\\iTunes\\iTunes.exe"=
                          "C:\\Program Files\\BitComet\\BitComet.exe"=

                          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                          "7467:TCP"= 7467:TCP:BitComet 7467 TCP
                          "7467:UDP"= 7467:UDP:BitComet 7467 UDP

                          R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
                          R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
                          R2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
                          R2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
                          R2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
                          R2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
                          S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
                          S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
                          S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
                          S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
                          S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
                          S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
                          S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]

                          .
                          Contents of the 'Scheduled Tasks' folder
                          "2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
                          - C:\Program Files\AntiSpywareApp\AntiSpyware .ex
                          - C:\Program Files\AntiSpywareApp
                          "2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
                          - C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
                          "2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
                          - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
                          .
                          **************************************************************************

                          catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                          Rootkit scan 2008-04-30 19:29:37
                          Windows 5.1.2600 Service Pack 2 NTFS

                          scanning hidden processes ...

                          scanning hidden autostart entries ...

                          scanning hidden files ...


                          C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
                          C:\WINDOWS\system32\clb.dll 10752 bytes executable
                          C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
                          C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
                          C:\WINDOWS\system32\clbcfg.dat 1695 bytes
                          C:\WINDOWS\system32\clbdll.dll 29184 bytes executable

                          scan completed successfully
                          hidden files: 6

                          **************************************************************************

                          [HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
                          "imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
                          .
                          ------------------------ Other Running Processes ------------------------
                          .
                          C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
                          C:\WINDOWS\system32\Ctsvccda.exe
                          C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
                          C:\WINDOWS\system32\nvsvc32.exe
                          C:\WINDOWS\system32\MsPMSPSv.exe
                          C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
                          C:\WINDOWS\system32\wscntfy.exe
                          C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
                          C:\Program Files\iPod\bin\iPodService.exe
                          .
                          **************************************************************************
                          .
                          Completion time: 2008-04-30 19:33:49 - machine was rebooted
                          ComboFix-quarantined-files.txt  2008-05-01 02:33:43
                          ComboFix2.txt  2008-05-01 01:26:08

                          Pre-Run: 4,032,126,976 bytes free
                          Post-Run: 4,015,120,384 bytes free

                          162   --- E O F ---   2008-04-09 10:04:51