Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: What is this?  (Read 5813 times)

0 Members and 1 Guest are viewing this topic.

SirOlwyn

    Topic Starter


    Rookie

    What is this?
    « on: August 31, 2008, 01:24:35 PM »
    I was infected by a trojan and ran several different programs to get rid of it. But now in my taskbar i have 2 processes running that i can find nothing about. They are qtyuqpcb.exe and qtubynul.exe. Does anyone know what they are? Im guessing they are left over from the trojan but am not sure.

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Re: What is this?
    « Reply #1 on: August 31, 2008, 02:37:50 PM »
    Welcome to CH.

    Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

    Link #1
    Link #2

    **Note:  It is important that it is saved directly to your Desktop

    Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
     
    Double click combofix.exe & follow the prompts.
    When finished ComboFix will produce a log for you.
    Post the ComboFix log in your next reply.

    Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

    SirOlwyn

      Topic Starter


      Rookie

      Re: What is this?
      « Reply #2 on: August 31, 2008, 03:30:45 PM »
      ComboFix 08-08-30.03 - Evil 2008-08-31 16:17:06.1 - NTFSx86
      Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.701 [GMT -5:00]
      Running from: C:\Documents and Settings\Evil\Desktop\ComboFix.exe
       * Created a new restore point
       * Resident AV is active


      WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\bin.clearspring.com
      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\bin.clearspring.com\clearspring.sol
      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\interclick.com
      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\interclick.com\ud.sol
      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
      C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
      C:\Documents and Settings\Evil\Application Data\rhcce4j0er2e
      C:\Program Files\akl
      C:\Program Files\akl\akl.dll
      C:\Program Files\akl\akl.exe
      C:\Program Files\akl\uninstall.exe
      C:\Program Files\akl\unsetup.exe
      C:\Program Files\Inet Delivery
      C:\Program Files\Inet Delivery\inetdl.exe
      C:\Program Files\Inet Delivery\intdel.exe
      C:\Program Files\rhcce4j0er2e
      C:\WINDOWS\a.bat
      C:\WINDOWS\base64.tmp
      C:\WINDOWS\bdn.com
      C:\WINDOWS\FVProtect.exe
      C:\WINDOWS\hosts
      C:\WINDOWS\iTunesMusic.exe
      C:\WINDOWS\mslagent
      C:\WINDOWS\mslagent\2_mslagent.dll
      C:\WINDOWS\mslagent\mslagent.exe
      C:\WINDOWS\mslagent\uninstall.exe
      C:\WINDOWS\mssecu.exe
      C:\WINDOWS\system32\akttzn.exe
      C:\WINDOWS\system32\anticipator.dll
      C:\WINDOWS\system32\awtoolb.dll
      C:\WINDOWS\system32\bdn.com
      C:\WINDOWS\system32\blphc9e4j0er2e.scr
      C:\WINDOWS\system32\bsva-egihsg52.exe
      C:\WINDOWS\system32\dpcproxy.exe
      C:\WINDOWS\system32\emesx.dll
      C:\WINDOWS\system32\[email protected]@@k.dll
      C:\WINDOWS\system32\hoproxy.dll
      C:\WINDOWS\system32\hxiwlgpm.dat
      C:\WINDOWS\system32\hxiwlgpm.exe
      C:\WINDOWS\system32\medup012.dll
      C:\WINDOWS\system32\medup020.dll
      C:\WINDOWS\system32\msgp.exe
      C:\WINDOWS\system32\msnbho.dll
      C:\WINDOWS\system32\mssecu.exe
      C:\WINDOWS\system32\msvchost.exe
      C:\WINDOWS\system32\mtr2.exe
      C:\WINDOWS\system32\mwin32.exe
      C:\WINDOWS\system32\netode.exe
      C:\WINDOWS\system32\newsd32.exe
      C:\WINDOWS\system32\pphc9e4j0er2e.exe
      C:\WINDOWS\system32\ps1.exe
      C:\WINDOWS\system32\psof1.exe
      C:\WINDOWS\system32\psoft1.exe
      C:\WINDOWS\system32\regc64.dll
      C:\WINDOWS\system32\regm64.dll
      C:\WINDOWS\system32\Rundl1.exe
      C:\WINDOWS\system32\smp
      C:\WINDOWS\system32\smp\msrc.exe
      C:\WINDOWS\system32\sncntr.exe
      C:\WINDOWS\system32\ssurf022.dll
      C:\WINDOWS\system32\ssvchost.com
      C:\WINDOWS\system32\ssvchost.exe
      C:\WINDOWS\system32\sysreq.exe
      C:\WINDOWS\system32\taack.dat
      C:\WINDOWS\system32\taack.exe
      C:\WINDOWS\system32\temp#01.exe
      C:\WINDOWS\system32\thun.dll
      C:\WINDOWS\system32\thun32.dll
      C:\WINDOWS\system32\VBIEWER.OCX
      C:\WINDOWS\system32\vbsys2.dll
      C:\WINDOWS\system32\vcatchpi.dll
      C:\WINDOWS\system32\winlogonpc.exe
      C:\WINDOWS\system32\winsystem.exe
      C:\WINDOWS\system32\WINWGPX.EXE
      C:\WINDOWS\userconfig9x.dll
      C:\WINDOWS\winsystem.exe
      C:\WINDOWS\zip1.tmp
      C:\WINDOWS\zip2.tmp
      C:\WINDOWS\zip3.tmp
      C:\WINDOWS\zipped.tmp

      .
      (((((((((((((((((((((((((   Files Created from 2008-07-28 to 2008-08-31  )))))))))))))))))))))))))))))))
      .

      2008-08-30 18:05 . 2008-08-30 18:05   <DIR>   d--------   C:\Program Files\Enigma Software Group
      2008-08-30 17:06 . 2008-08-30 17:06   74   --a------   C:\WINDOWS\st_affiliate.ini
      2008-08-30 16:04 . 2008-08-30 16:29   <DIR>   d--------   C:\Program Files\SAV
      2008-08-30 16:04 . 2008-08-30 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\yncxkzwr
      2008-08-30 16:04 . 2008-08-30 16:04   115,204   --a------   C:\WINDOWS\system32\msxml71.dll
      2008-08-30 16:04 . 2008-08-30 16:04   90,112   --a------   C:\WINDOWS\system32\qtubynul.exe
      2008-08-29 22:48 . 2008-08-29 22:48   0   --a------   C:\Documents and Settings\Evil\jagex_runescape_preferences.dat
      2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\Sun
      2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\.jagex_cache_32
      2008-08-19 22:49 . 2008-08-19 22:57   <DIR>   d--------   C:\Program Files\PokerStars
      2008-07-21 23:33 . 2008-07-21 23:33   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
      2008-07-21 23:02 . 2008-07-21 23:02   0   --a------   C:\WINDOWS\nsreg.dat
      2008-07-19 11:04 . 2008-08-31 16:15   <DIR>   d--h-----   C:\$AVG8.VAULT$
      2008-07-18 15:48 . 2008-07-19 11:30   <DIR>   d--------   C:\Program Files\GameSpy Arcade

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-08-30 14:49   97,928   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
      2008-08-20 02:51   351,541   ----a-w   C:\WINDOWS\java\Packages\VJ9NF9JX.ZIP
      2008-07-28 04:18   440,816   ----a-w   C:\WINDOWS\java\Packages\P75JLNDF.ZIP
      2008-07-18 21:01   491,040   ----a-w   C:\WINDOWS\java\Packages\GE9NPZZT.ZIP
      2008-07-05 06:10   76,040   ----a-w   C:\WINDOWS\system32\drivers\avgtdix.sys
      2008-07-05 06:10   10,520   ----a-w   C:\WINDOWS\system32\avgrsstx.dll
      2008-05-24 03:27   487,105   ----a-w   C:\WINDOWS\java\Packages\QW8LNFPV.ZIP
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 14:28 77824]
      "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 19:56 68856]
      "igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]
      "shappwin"="C:\WINDOWS\system32\qtubynul.exe" [2008-08-30 16:04 90112]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
      "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
      "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
      "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
      "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 09:49 1235736]
      "SoundMan"="SOUNDMAN.EXE" [2005-10-04 15:12 90112 C:\WINDOWS\soundman.exe]
      "nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
      "GQT7qr190e"="C:\Documents and Settings\All Users\Application Data\yncxkzwr\qtyvqpcb.exe" [2008-08-30 16:04 65536]

      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
      Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
      Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-02 18:07:18 200704]
      Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
      "AppInit_DLLs"=avgrsstx.dll

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
      Notification Packages   REG_MULTI_SZ      scecli scecli

      [HKEY_LOCAL_MACHINE\software\microsoft\security center]
      "AntiVirusDisableNotify"=dword:00000001
      "UpdatesDisableNotify"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "E:\\Program Files\\Steam\\SteamApps\\highliter\\day of defeat source\\hl2.exe"=
      "E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike\\hl.exe"=
      "E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike source\\hl2.exe"=
      "C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
      "E:\\Program Files\\EVE Test\\EVE\\bin\\ExeFile.exe"=
      "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
      "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

      R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 09:49]
      R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 09:49]
      R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 09:49]
      R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 01:10]
      R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-08-07 12:39]
      S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32 [2003-04-15 11:16]
      .
      - - - - ORPHANS REMOVED - - - -

      WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
      HKCU-Run-Steam - (no file)
      HKLM-Run-lphc9e4j0er2e - C:\WINDOWS\system32\lphc9e4j0er2e.exe
      HKLM-Run-SMrhcce4j0er2e - C:\Program Files\rhcce4j0er2e\rhcce4j0er2e.exe


      .
      ------- Supplementary Scan -------
      .
      FireFox -: Profile - C:\Documents and Settings\Evil\Application Data\Mozilla\Firefox\Profiles\f6dh42wb.default\
      FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
      FF -: plugin - C:\Program Files\IGN\Download Manager\npfpdlm.dll
      FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin.dll
      FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin2.dll
      FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin3.dll
      FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin4.dll
      FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin5.dll
      .

      **************************************************************************

      catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-08-31 16:23:33
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ...

      scanning hidden autostart entries ...

      scanning hidden files ...

      scan completed successfully
      hidden files: 0

      **************************************************************************

      [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
      "ImagePath"="\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32"
      .
      ------------------------ Other Running Processes ------------------------
      .
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\system32\rundll32.exe
      C:\WINDOWS\system32\WgaTray.exe
      C:\Program Files\AVG\AVG8\avgrsx.exe
      .
      **************************************************************************
      .
      Completion time: 2008-08-31 16:26:24 - machine was rebooted
      ComboFix-quarantined-files.txt  2008-08-31 21:26:13

      Pre-Run: 7,929,675,776 bytes free
      Post-Run: 7,969,239,040 bytes free

      209

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Re: What is this?
      « Reply #3 on: August 31, 2008, 03:37:21 PM »
      Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

      Delete these files/folders, as follows:

      1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
      It must be Notepad, not Wordpad.
      2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

      Code: [Select]
      KillAll::

      File::
      C:\Documents and Settings\All Users\Application Data\yncxkzwr
      C:\WINDOWS\system32\msxml71.dll
      C:\WINDOWS\system32\qtubynul.exe

      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "shappwin"=-
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
      "GQT7qr190e"=-

      3. Go to the Notepad window and click Edit > Paste
      4. Then click File > Save
      5. Name the file CFScript.txt - Save the file to your Desktop
      6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



      ComboFix will begin to execute, just follow the prompts.
      After reboot (in case it asks to reboot), it will produce a log for you.
      Post that log (Combofix.txt) in your next reply.

      Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

      SirOlwyn

        Topic Starter


        Rookie

        Re: What is this?
        « Reply #4 on: August 31, 2008, 03:51:04 PM »
        ComboFix 08-08-30.03 - Evil 2008-08-31 16:43:11.2 - NTFSx86
        Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.765 [GMT -5:00]
        Running from: C:\Documents and Settings\Evil\Desktop\ComboFix.exe
        Command switches used :: C:\Documents and Settings\Evil\Desktop\CFScript.txt
         * Created a new restore point

        WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
        .

        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        C:\WINDOWS\system32\msxml71.dll
        C:\WINDOWS\system32\qtubynul.exe

        .
        (((((((((((((((((((((((((   Files Created from 2008-07-28 to 2008-08-31  )))))))))))))))))))))))))))))))
        .

        2008-08-30 18:05 . 2008-08-30 18:05   <DIR>   d--------   C:\Program Files\Enigma Software Group
        2008-08-30 17:06 . 2008-08-30 17:06   74   --a------   C:\WINDOWS\st_affiliate.ini
        2008-08-30 16:04 . 2008-08-30 16:29   <DIR>   d--------   C:\Program Files\SAV
        2008-08-30 16:04 . 2008-08-30 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\yncxkzwr
        2008-08-29 22:48 . 2008-08-29 22:48   0   --a------   C:\Documents and Settings\Evil\jagex_runescape_preferences.dat
        2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\Sun
        2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\.jagex_cache_32
        2008-08-19 22:49 . 2008-08-19 22:57   <DIR>   d--------   C:\Program Files\PokerStars
        2008-07-21 23:33 . 2008-07-21 23:33   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
        2008-07-21 23:02 . 2008-07-21 23:02   0   --a------   C:\WINDOWS\nsreg.dat
        2008-07-19 11:04 . 2008-08-31 16:15   <DIR>   d--h-----   C:\$AVG8.VAULT$
        2008-07-18 15:48 . 2008-07-19 11:30   <DIR>   d--------   C:\Program Files\GameSpy Arcade

        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2008-08-30 14:49   97,928   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
        2008-08-20 02:51   351,541   ----a-w   C:\WINDOWS\java\Packages\VJ9NF9JX.ZIP
        2008-07-28 04:18   440,816   ----a-w   C:\WINDOWS\java\Packages\P75JLNDF.ZIP
        2008-07-18 21:01   491,040   ----a-w   C:\WINDOWS\java\Packages\GE9NPZZT.ZIP
        2008-07-05 06:10   76,040   ----a-w   C:\WINDOWS\system32\drivers\avgtdix.sys
        2008-07-05 06:10   10,520   ----a-w   C:\WINDOWS\system32\avgrsstx.dll
        2008-05-24 03:27   487,105   ----a-w   C:\WINDOWS\java\Packages\QW8LNFPV.ZIP
        .

        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 14:28 77824]
        "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 19:56 68856]
        "igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
        "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
        "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
        "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
        "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 09:49 1235736]
        "SoundMan"="SOUNDMAN.EXE" [2005-10-04 15:12 90112 C:\WINDOWS\soundman.exe]
        "nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
        Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
        Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-02 18:07:18 200704]
        Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
        "AppInit_DLLs"=avgrsstx.dll

        [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
        Notification Packages   REG_MULTI_SZ      scecli scecli

        [HKEY_LOCAL_MACHINE\software\microsoft\security center]
        "AntiVirusDisableNotify"=dword:00000001
        "UpdatesDisableNotify"=dword:00000001

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
        "%windir%\\system32\\sessmgr.exe"=
        "E:\\Program Files\\Steam\\SteamApps\\highliter\\day of defeat source\\hl2.exe"=
        "E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike\\hl.exe"=
        "E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike source\\hl2.exe"=
        "C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
        "E:\\Program Files\\EVE Test\\EVE\\bin\\ExeFile.exe"=
        "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
        "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

        R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 09:49]
        R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 09:49]
        R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 09:49]
        R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 01:10]
        R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-08-07 12:39]
        S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32 [2003-04-15 11:16]
        .

        **************************************************************************

        catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2008-08-31 16:46:05
        Windows 5.1.2600 Service Pack 2 NTFS

        scanning hidden processes ...

        scanning hidden autostart entries ...

        scanning hidden files ...


        **************************************************************************

        [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
        "ImagePath"="\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32"
        .
        ------------------------ Other Running Processes ------------------------
        .
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\system32\rundll32.exe
        C:\WINDOWS\system32\WgaTray.exe
        C:\Program Files\AVG\AVG8\avgrsx.exe
        C:\Program Files\AVG\AVG8\avgrsx.exe
        .
        **************************************************************************
        .
        Completion time: 2008-08-31 16:49:28 - machine was rebooted
        ComboFix-quarantined-files.txt  2008-08-31 21:49:21
        ComboFix2.txt  2008-08-31 21:26:29

        Pre-Run: 7,957,159,936 bytes free
        Post-Run: 7,948,324,864 bytes free

        107

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
        Re: What is this?
        « Reply #5 on: August 31, 2008, 03:54:30 PM »
        Sorry I missed one.

        Go to My Computer->Tools->Folder Options->View tab:
        • Under the Hidden files and folders heading:
        • Select Show hidden files and folders.
        • Uncheck Hide protected operating system files (recommended) option.
        • Also, make sure there is no checkmark beside Hide file extensions for known file types.
        • Click OK
        .
        Open My Computer from the desktop and find then delete this folder.

        C:\Documents and Settings\All Users\Application Data\yncxkzwr

        ----------

        Download TrendMicro HijackThis.exe (HJT)

        • Double-click on HJTInstall.
        • Click on the Install button.
        • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
        • Upon install, HijackThis should open for you.
        • Click on the Do a system scan and save a log file button
        • HijackThis will scan and then a log will open in notepad.
        • Copy and then paste the entire contents of the log in your post.
        • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

        SirOlwyn

          Topic Starter


          Rookie

          Re: What is this?
          « Reply #6 on: August 31, 2008, 03:59:51 PM »
          Logfile of Trend Micro HijackThis v2.0.2
          Scan saved at 4:59:13 PM, on 8/31/2008
          Platform: Windows XP SP2 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
          C:\WINDOWS\system32\nvsvc32.exe
          C:\PROGRA~1\AVG\AVG8\avgemc.exe
          C:\WINDOWS\SOUNDMAN.EXE
          C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
          C:\WINDOWS\system32\RUNDLL32.EXE
          C:\Program Files\Logitech\Profiler\lwemon.exe
          C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
          C:\WINDOWS\System32\svchost.exe
          D:\Program Files\FinePixViewer\QuickDCF.exe
          C:\WINDOWS\system32\WgaTray.exe
          C:\WINDOWS\explorer.exe
          C:\Program Files\AVG\AVG8\avgrsx.exe
          C:\Program Files\AVG\AVG8\avgrsx.exe
          C:\Program Files\Internet Explorer\iexplore.exe
          C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
          O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
          O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
          O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
          O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
          O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
          O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
          O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
          O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
          O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
          O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
          O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
          O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
          O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
          O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
          O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
          O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
          O4 - Global Startup: Exif Launcher.lnk = ?
          O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
          O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
          O16 - DPF: Yahoo! Dominoes - http://origin.games.yahoo.net/games/clients/y/dot9_x.cab
          O16 - DPF: Yahoo! Fleet - http://origin.games.yahoo.net/games/clients/y/fltt3_x.cab
          O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
          O16 - DPF: Yahoo! Hearts - http://origin.games.yahoo.net/games/clients/y/ht1_x.cab
          O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
          O16 - DPF: Yahoo! Spades - http://origin.games.yahoo.net/games/clients/y/st3_x.cab
          O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
          O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140239763375
          O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
          O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140239550234
          O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
          O20 - AppInit_DLLs: avgrsstx.dll
          O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
          O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
          O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
          O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
          O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

          --
          End of file - 5640 bytes

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          Re: What is this?
          « Reply #7 on: August 31, 2008, 04:02:05 PM »
          Looks good. How is everything now?

          SirOlwyn

            Topic Starter


            Rookie

            Re: What is this?
            « Reply #8 on: August 31, 2008, 04:04:01 PM »
            Ill turn avg back on and restart, then let you know.

            SirOlwyn

              Topic Starter


              Rookie

              Re: What is this?
              « Reply #9 on: August 31, 2008, 04:13:36 PM »
              So far everything is great. Thanks a million. I have had other sites try and help me but they dont hold a candle to you.  This has to be my new favorite site of all time. Thank you again.

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              Re: What is this?
              « Reply #10 on: August 31, 2008, 04:15:20 PM »
              Thanks!!

              Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
              .
              • Click START then RUN
              • Now type Combofix /u in the runbox
              • Make sure there's a space between Combofix and /u
              • Then hit Enter.
              .
              .
              ----------

              Set a New Restore Point to prevent possible reinfection from an old one
              Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
              • Go to Start > Programs > Accessories > System Tools and click System Restore
              • Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
              • The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
              • Next go to Start > Run and type Cleanmgr
              • Click OK
              • Click the More Options Tab.
              • Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
              You can find instructions on how to enable and re-enable system restore here:

              Windows XP System Restore Guide or Windows Vista System Restore Guide
              .
              ----------

              Use the Secunia Software Inspector to check for out of date software.
              • Click Start Now
              • Check the box next to Enable thorough system inspection.
              • Click Start
              • Allow the scan to finish and scroll down to see if any updates are needed.
              • Update anything listed.
              .
              ----------

              Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

              Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.