• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
extreme182

wierd temp files multiplying

15 posts in this topic

hey there,

Well, i'm running Windows XP Home.

My problem is i somehow got this temp files called win1.tmp, win1A.tmp and other similar forms that multiply exponentially from time to time, (while sometimes creating dialers that i can manually delete anyway). Other thing is that they are the only temp files there are in the win/temp folder.

 

The thing is, they don't look like they're doing any damage, and the process that fits with their name is not running anymore on the task manager, but i can't delete them tho they're temp (not even with Move On Boot) and it bothers me a lot that there's some kind of invisible threat. NAV doesn't detect it, neither did Panda and some others.

i have done a little research and it seems that a hijack this report helps you . so i have downloaded and scanned. Here is my findings

 

Logfile of HijackThis v1.99.1

Scan saved at 18:56:01, on 02/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\apps\ABoard\ABoard.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\QuickTime\qttask.exe

D:\Documents and Settings\All Users\Application Data\udinajkv.exe

C:\PROGRA~1\MANTEC~1\netdde.exe

C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

C:\Program Files\blueyonder IST\bin\mpbtn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\Documents and Settings\James.main\local settings\Temp\469593.exe

D:\Documents and Settings\James.main\local settings\Temp\654390.exe

D:\Documents and Settings\James.main\local settings\Temp\592734.exe

C:\WINDOWS\explorer.exe

D:\Documents and Settings\James.main\local settings\Temp\654390.exe

D:\Documents and Settings\James.main\local settings\Temp\784234.exe

D:\Documents and Settings\James.main\local settings\Temp\847718.exe

D:\Documents and Settings\James.main\local settings\Temp\912406.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Documents and Settings\James.main\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe

O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ajjdkqot.dll",realset

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb

O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

 

 

thank you for looking and i would appreciate your help :D

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello extreme182,

 

We are currently studying your log and will be back to you as soon as possible. Thank you for your patience.

Share this post


Link to post
Share on other sites

You have not been forgotten extreme182. We should have a reply for you soon.

 

Thank you for your patience.

Share this post


Link to post
Share on other sites

Welcome to SWI, I'll be helping you clean your computer.

 

Please rename the HijackThis.exe file to something else, it doesn't matter what as long as it's not HijackThis. Then please post a fresh HijackThis(HJT) log.

Share this post


Link to post
Share on other sites

Welcome to SWI, I'll be helping you clean your computer.

 

Please rename the HijackThis.exe file to something else, it doesn't matter what as long as it's not HijackThis. Then please post a fresh HijackThis(HJT) log.

 

 

I'm not quite sure if i have done it correctly but ...

 

Logfile of HijackThis v1.99.1

Scan saved at 09:18:11, on 09/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\apps\ABoard\ABoard.exe

C:\apps\ABoard\AOSD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\Program Files\QuickTime\qttask.exe

D:\Documents and Settings\All Users\Application Data\udinajkv.exe

C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe

C:\PROGRA~1\MANTEC~1\netdde.exe

D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe

C:\Program Files\blueyonder IST\bin\mpbtn.exe

C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Documents and Settings\James.main\Desktop\hijackthis\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {861DF07A-ADA5-4995-A2C7-2C747FC5B94C} - C:\WINDOWS\system32\sstqo.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - C:\WINDOWS\system32\byxwwvw.dll

O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll

O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\nyaxwifa.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe

O4 - HKLM\..\Run: [j8241635] rundll32 C:\WINDOWS\system32\j8241635.dll sook

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\cogovnhg.dll",realset

O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb

O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"

O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: byxwwvw - C:\WINDOWS\SYSTEM32\byxwwvw.dll

O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll

O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll

O20 - Winlogon Notify: winwim32 - C:\WINDOWS\SYSTEM32\winwim32.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

Share this post


Link to post
Share on other sites

Please either print out these instructions or save them to a program like Notepad because you wont have Internet access in Safe Mode.

 

 

After some of these uninstalls your computer may prompt you to restart, if this happens choose No and continue with the rest of the uninstalls.

 

Click on the Windows Start button in the left hand corner of your screen.

Go to Control Panel or Settings>Control Panel

Double click on Add or Remove Programs and uninstall

Oin

Yazzle by Oin

Purityscan by Oin

Snowballwars by Oin

or anything else titled Oin or Outerinfo.

Zolero

Tizzletalk

MediaTickets

Cowabanga

 

Optional

You have Blueyonder Instant Support Tool installed. This program collects information such as your name, address, etc. and saves it as a log file. For more information please go to this site.

If you want to remove it please also uninstall this

Blueyonder Instant Support Tool

 

Reboot

 

1. Download this file - combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Save it and post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

Reboot

 

Run HijackThis to create a fresh log and post it here

 

Logs to include in your next reply

ComboFix

HJT

Share this post


Link to post
Share on other sites

hey sorry for the late reply.. :blush:

 

Combo fix :

 

ComboFix 07-06-21.3 - D:\Documents and Settings\James.main\My Documents\My Games\mpgh\ComboFix.exe

"James" - 2007-06-22 20:06:33 - Service Pack 2 NTFS

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\pmnli.dll

C:\WINDOWS\system32\bcnsvnqw.dll

C:\WINDOWS\system32\bptbjosx.dll

C:\WINDOWS\system32\cthyusvi.dll

C:\WINDOWS\system32\cypfegck.dll

C:\WINDOWS\system32\dfcuqngq.dll

C:\WINDOWS\system32\dxhvokqd.dll

C:\WINDOWS\system32\ejjgdrfr.dll

C:\WINDOWS\system32\enuetcpp.dll

C:\WINDOWS\system32\fbmlvoux.dll

C:\WINDOWS\system32\gnvvtfsb.dll

C:\WINDOWS\system32\gpklmnrk.dll

C:\WINDOWS\system32\hkqanxul.dll

C:\WINDOWS\system32\iqgefvvl.dll

C:\WINDOWS\system32\ivqknkff.dll

C:\WINDOWS\system32\jkahvigx.dll

C:\WINDOWS\system32\jtdmwwkl.dll

C:\WINDOWS\system32\kbifpxkc.dll

C:\WINDOWS\system32\lhyplpwj.dll

C:\WINDOWS\system32\lrmenyvf.dll

C:\WINDOWS\system32\moehnbmg.dll

C:\WINDOWS\system32\msywuwfd.dll

C:\WINDOWS\system32\nicljohd.dll

C:\WINDOWS\system32\nyaxwifa.dll

C:\WINDOWS\system32\peqhmgve.dll

C:\WINDOWS\system32\punuixky.dll

C:\WINDOWS\system32\rehnbobe.dll

C:\WINDOWS\system32\rxhcwstl.dll

C:\WINDOWS\system32\shqxcbyh.dll

C:\WINDOWS\system32\tnqcdpvq.dll

C:\WINDOWS\system32\tpbvkfmc.dll

C:\WINDOWS\system32\uuawtfbt.dll

C:\WINDOWS\system32\vopfidxa.dll

C:\WINDOWS\system32\xnqxipav.dll

C:\WINDOWS\system32\awttrsq.dll

C:\WINDOWS\system32\cbxvwuu.dll

C:\WINDOWS\system32\hggebby.dll

C:\WINDOWS\system32\rqrqoli.dll

C:\WINDOWS\system32\tuvtrpp.dll

C:\WINDOWS\system32\winuqw32.dll

C:\WINDOWS\system32\winwim32.dll

C:\WINDOWS\system32\ilnmp.bak1

C:\WINDOWS\system32\ilnmp.ini

C:\WINDOWS\system32\ilnmp.tmp

C:\WINDOWS\system32\oqtss.bak1

C:\WINDOWS\system32\oqtss.bak2

C:\WINDOWS\system32\oqtss.ini

C:\WINDOWS\system32\oqtss.ini2

C:\WINDOWS\system32\oqtss.tmp

C:\WINDOWS\system32\wqnvsncb.ini

C:\WINDOWS\system32\xsojbtpb.ini

C:\WINDOWS\system32\ivsuyhtc.ini

C:\WINDOWS\system32\kcgefpyc.ini

C:\WINDOWS\system32\qgnqucfd.ini

C:\WINDOWS\system32\dqkovhxd.ini

C:\WINDOWS\system32\rfrdgjje.ini

C:\WINDOWS\system32\ppcteune.ini

C:\WINDOWS\system32\xuovlmbf.ini

C:\WINDOWS\system32\krnmlkpg.ini

C:\WINDOWS\system32\luxnaqkh.ini

C:\WINDOWS\system32\lvvfegqi.ini

C:\WINDOWS\system32\ffknkqvi.ini

C:\WINDOWS\system32\xgivhakj.ini

C:\WINDOWS\system32\lkwwmdtj.ini

C:\WINDOWS\system32\ckxpfibk.ini

C:\WINDOWS\system32\gmbnheom.ini

C:\WINDOWS\system32\dfwuwysm.ini

C:\WINDOWS\system32\dhojlcin.ini

C:\WINDOWS\system32\evgmhqep.ini

C:\WINDOWS\system32\ykxiunup.ini

C:\WINDOWS\system32\ebobnher.ini

C:\WINDOWS\system32\ltswchxr.ini

C:\WINDOWS\system32\hybcxqhs.ini

C:\WINDOWS\system32\cmfkvbpt.ini

C:\WINDOWS\system32\tbftwauu.ini

C:\WINDOWS\system32\axdifpov.ini

C:\WINDOWS\system32\ilnmp.bak1

C:\WINDOWS\system32\ilnmp.ini

C:\WINDOWS\system32\ilnmp.tmp

C:\WINDOWS\system32\oqtss.bak1

C:\WINDOWS\system32\oqtss.bak2

C:\WINDOWS\system32\oqtss.ini

C:\WINDOWS\system32\oqtss.ini2

C:\WINDOWS\system32\oqtss.tmp

C:\WINDOWS\system32\oqtss.bak1

C:\WINDOWS\system32\oqtss.bak2

C:\WINDOWS\system32\oqtss.ini

C:\WINDOWS\system32\oqtss.ini2

C:\WINDOWS\system32\oqtss.tmp

C:\WINDOWS\system32\sstqo.dll

C:\WINDOWS\system32\byxwwvw.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\WinAntiSpyware 2007

C:\Program Files\Common Files\WinAntiSpyware 2007\err.log

C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe

C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe

C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe

C:\Program Files\mantec~1

C:\Program Files\mantec~1\netdde.exe

C:\Program Files\outerinfo

C:\Program Files\outerinfo\OiUninstaller.exe

C:\Program Files\outerinfo\outerinfo.ico

C:\Program Files\outerinfo\Terms.rtf

C:\Program Files\WinAntiSpyware 2007

C:\Program Files\WinAntiSpyware 2007\fopnl.dll

C:\WINDOWS\retadpu1000272.exe

C:\WINDOWS\smgr.exe

C:\WINDOWS\system32\9_exception.nls

C:\WINDOWS\system32\drivers\ip6fw.sys

C:\WINDOWS\system32\j8241635.dll

C:\WINDOWS\system32\msxml3a.dll

C:\WINDOWS\system32\winhoo32.dll

C:\WINDOWS\system32\winsys64.exe

C:\WINDOWS\system32\wintsvcc.exe

C:\WINDOWS\system32\wnsxs~1

D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007

D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr

D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1\d?xplore.exe

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007\Logs\update.log

D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon

D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\domains.txt

D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\log.txt

D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon

D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt

D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_RUNTIME

 

 

((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))

 

 

2007-06-22 20:04 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-22 17:14 122,900 --a------ C:\WINDOWS\system32\ddnockip.exe

2007-06-22 16:58 122,900 --a------ C:\WINDOWS\system32\cgpusmxd.exe

2007-06-21 18:34 122,900 --a------ C:\WINDOWS\system32\swhnokpi.exe

2007-06-21 17:22 122,900 --a------ C:\WINDOWS\system32\nlcyyptc.exe

2007-06-21 17:21 122,900 --a------ C:\WINDOWS\system32\hjgaediy.exe

2007-06-21 17:01 122,900 --a------ C:\WINDOWS\system32\wquwkoer.exe

2007-06-20 20:28 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator

2007-06-20 18:38 122,900 --a------ C:\WINDOWS\system32\gdkuivrn.exe

2007-06-20 18:13 122,900 --a------ C:\WINDOWS\system32\onevbvwt.exe

2007-06-20 18:03 122,900 --a------ C:\WINDOWS\system32\xxewgkhn.exe

2007-06-20 17:39 122,900 --a------ C:\WINDOWS\system32\enjgtyxb.exe

2007-06-20 17:37 60,928 --a------ C:\WINDOWS\system32\gffy.dll

2007-06-19 16:58 122,900 --a------ C:\WINDOWS\system32\xdufoiwc.exe

2007-06-19 16:47 122,900 --a------ C:\WINDOWS\system32\qmibjrmk.exe

2007-06-16 16:07 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\InstallShield

2007-06-16 16:07 <DIR> d-------- C:\Program Files\WarRock

2007-06-16 12:25 <DIR> d-------- C:\WINDOWS\system32\pmcubosf

2007-06-16 10:17 286,720 --a------ C:\WINDOWS\system32\scchk32.exe

2007-06-13 19:24 36,864 --a------ C:\WINDOWS\system32\wbsys.dll

2007-06-13 19:24 20,480 --a------ C:\WINDOWS\system32\wbload.dll

2007-06-13 18:54 <DIR> d-------- C:\Program Files\Stardock

2007-06-13 18:54 <DIR> d-------- C:\Program Files\Common Files\stardock

2007-06-13 18:44 161,280 --a------ C:\WINDOWS\system32\fmod.dll

2007-06-13 18:44 1,008,128 --a------ C:\WINDOWS\system32\The Matrix Trilogy.scr

2007-06-12 17:12 <DIR> d-------- C:\Program Files\VB

2007-06-11 17:30 <DIR> d-------- C:\Program Files\HackTheGame

2007-06-11 16:15 2,580 --a------ C:\WINDOWS\system32\hbactjaw.exe

2007-06-10 20:54 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Norman

2007-06-06 20:08 55,316 --a------ C:\WINDOWS\system32\ktsidwcn.dll

2007-06-05 20:38 52,432 --a------ C:\WINDOWS\system32\drivers\FOPN.sys

2007-06-05 17:02 14,868 --a------ C:\WINDOWS\system32\fcyxcfet.exe

2007-06-04 16:15 2,580 --a------ C:\WINDOWS\system32\eutgufha.exe

2007-06-03 16:07 2,580 --a------ C:\WINDOWS\system32\uafdbyji.exe

2007-06-02 18:29 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

2007-06-02 17:26 <DIR> d-------- C:\Program Files\Yahoo!

2007-06-02 17:25 <DIR> d-------- C:\Program Files\CCleaner

2007-06-02 17:24 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2007-06-02 17:24 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2007-06-02 17:24 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Simply Super Software

2007-06-02 17:24 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software

2007-06-02 17:24 <DIR> d-------- C:\Program Files\Trojan Remover

2007-06-02 16:43 <DIR> d--h----- C:\WINDOWS\PIF

2007-06-02 15:52 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\PC Tools

2007-06-02 15:52 <DIR> d-------- C:\Program Files\Spyware Doctor

2007-06-02 15:47 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-06-02 15:43 <DIR> d-------- C:\Program Files\GiPo@Utilities

2007-06-02 15:43 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared

2007-06-02 10:10 71,168 ---h----- D:\DOCUME~1\ALLUSE~1\APPLIC~1\svchost.exe

2007-06-02 10:00 2,580 --a------ C:\WINDOWS\system32\qsdpmduw.exe

2007-06-02 09:58 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe

2007-06-02 09:53 57,344 --a------ D:\DOCUME~1\ALLUSE~1\APPLIC~1\udinajkv.exe

2007-06-02 09:53 206 --a------ C:\WINDOWS\g438812.exe

2007-06-01 15:11 9,209 --a------ C:\pgob.exe

2007-06-01 15:11 35,840 --a------ C:\WINDOWS\system32\msvcrtd.exe

2007-06-01 15:11 19,968 --a------ C:\gfrlv.exe

2007-06-01 14:31 <DIR> d-------- C:\Program Files\KLC

2007-06-01 13:55 2,079 --a------ C:\WINDOWS\system32\M1achardks.dll

2007-06-01 13:54 4,100 --a------ C:\WINDOWS\system32\hdvirffo.dll

2007-06-01 10:46 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\GetRightToGo

2007-06-01 10:46 <DIR> d-------- C:\Downloads

2007-05-31 19:48 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\My Games

2007-05-31 19:33 <DIR> d-------- C:\Program Files\Firaxis Games

2007-05-26 12:51 <DIR> d-------- D:\DOCUME~1\ELESE~1.MAI\APPLIC~1\Ventrilo

2007-05-23 17:57 <DIR> d-------- C:\Program Files\SCAR 3.02

2007-05-22 19:45 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\AdobeUM

2007-05-22 19:45 <DIR> d-------- C:\Program Files\SCAR 2.03

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-20 19:38:51 -------- d-----w C:\Program Files\Common Files\PestPatrol

2007-06-16 15:07:46 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-16 10:41:18 -------- d-----w C:\Program Files\Cheat Engine

2007-06-02 15:10:31 -------- d-----w C:\Program Files\Ares

2007-06-02 10:15:30 -------- d-----w C:\Program Files\GWFreaks

2007-06-01 13:38:15 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-05-31 18:48:47 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-05-21 17:32:19 -------- d-----w D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Ventrilo

2007-05-21 17:29:52 -------- d-----w C:\Program Files\Ventrilo

2007-05-21 17:29:33 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-16 09:38:34 -------- d-----w C:\Program Files\Disney

2007-05-11 17:56:13 -------- d-----w C:\Program Files\Common Files\Command Software

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-23 16:27:09 -------- d-----w C:\Program Files\Virtual Villagers

2007-04-22 19:01:26 -------- d-----w C:\Program Files\Yahoo! Games

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]

{3C060EA2-E6A9-4E49-A530-D4657B8C449A}=C:\Program Files\Virgin Broadband\PCguard\pkR.dll [2007-01-24 19:51]

{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Virgin Broadband\PCguard\FBHR.dll [2007-01-24 19:51]

{631F1A8B-DF14-8DE5-181B-838DB82D85C7}=C:\WINDOWS\system32\gffy.dll [2007-06-20 15:49]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]

{C37F396F-8B8B-DC70-8A7C-89ADACE924CE}=C:\WINDOWS\system32\wniuvjp.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-03-11 18:33 C:\WINDOWS\system32\VTTrayp.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-01-20 21:04 C:\WINDOWS\SOUNDMAN.EXE]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36]

"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 11:31]

"nwiz"="nwiz.exe" [2005-06-15 16:20 C:\WINDOWS\system32\nwiz.exe]

"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 15:12]

"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 19:53]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-29 07:17]

"udinajkv.exe"="D:\Documents and Settings\All Users\Application Data\udinajkv.exe" [2007-06-02 09:53]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 16:20]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-04-17 07:59]

"Henl"="C:\PROGRA~1\MANTEC~1\netdde.exe" []

"Mwlqls"="D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" [2005-05-10 13:31]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]

C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=wbsys.dll

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-22 20:17:34

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-22 20:19:33 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-22 20:19

 

--- E O F ---

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\pmnli.dll

C:\WINDOWS\system32\bcnsvnqw.dll

C:\WINDOWS\system32\bptbjosx.dll

C:\WINDOWS\system32\cthyusvi.dll

C:\WINDOWS\system32\cypfegck.dll

C:\WINDOWS\system32\dfcuqngq.dll

C:\WINDOWS\system32\dxhvokqd.dll

C:\WINDOWS\system32\ejjgdrfr.dll

C:\WINDOWS\system32\enuetcpp.dll

C:\WINDOWS\system32\fbmlvoux.dll

C:\WINDOWS\system32\gnvvtfsb.dll

C:\WINDOWS\system32\gpklmnrk.dll

C:\WINDOWS\system32\hkqanxul.dll

C:\WINDOWS\system32\iqgefvvl.dll

C:\WINDOWS\system32\ivqknkff.dll

C:\WINDOWS\system32\jkahvigx.dll

C:\WINDOWS\system32\jtdmwwkl.dll

C:\WINDOWS\system32\kbifpxkc.dll

C:\WINDOWS\system32\lhyplpwj.dll

C:\WINDOWS\system32\lrmenyvf.dll

C:\WINDOWS\system32\moehnbmg.dll

C:\WINDOWS\system32\msywuwfd.dll

C:\WINDOWS\system32\nicljohd.dll

C:\WINDOWS\system32\nyaxwifa.dll

C:\WINDOWS\system32\peqhmgve.dll

C:\WINDOWS\system32\punuixky.dll

C:\WINDOWS\system32\rehnbobe.dll

C:\WINDOWS\system32\rxhcwstl.dll

C:\WINDOWS\system32\shqxcbyh.dll

C:\WINDOWS\system32\tnqcdpvq.dll

C:\WINDOWS\system32\tpbvkfmc.dll

C:\WINDOWS\system32\uuawtfbt.dll

C:\WINDOWS\system32\vopfidxa.dll

C:\WINDOWS\system32\xnqxipav.dll

C:\WINDOWS\system32\awttrsq.dll

C:\WINDOWS\system32\cbxvwuu.dll

C:\WINDOWS\system32\hggebby.dll

C:\WINDOWS\system32\rqrqoli.dll

C:\WINDOWS\system32\tuvtrpp.dll

C:\WINDOWS\system32\winuqw32.dll

C:\WINDOWS\system32\winwim32.dll

C:\WINDOWS\system32\ilnmp.bak1

C:\WINDOWS\system32\ilnmp.ini

C:\WINDOWS\system32\ilnmp.tmp

C:\WINDOWS\system32\oqtss.bak1

C:\WINDOWS\system32\oqtss.bak2

C:\WINDOWS\system32\oqtss.ini

C:\WINDOWS\system32\oqtss.ini2

C:\WINDOWS\system32\oqtss.tmp

C:\WINDOWS\system32\wqnvsncb.ini

C:\WINDOWS\system32\xsojbtpb.ini

C:\WINDOWS\system32\ivsuyhtc.ini

C:\WINDOWS\system32\kcgefpyc.ini

C:\WINDOWS\system32\qgnqucfd.ini

C:\WINDOWS\system32\dqkovhxd.ini

C:\WINDOWS\system32\rfrdgjje.ini

C:\WINDOWS\system32\ppcteune.ini

C:\WINDOWS\system32\xuovlmbf.ini

C:\WINDOWS\system32\krnmlkpg.ini

C:\WINDOWS\system32\luxnaqkh.ini

C:\WINDOWS\system32\lvvfegqi.ini

C:\WINDOWS\system32\ffknkqvi.ini

C:\WINDOWS\system32\xgivhakj.ini

C:\WINDOWS\system32\lkwwmdtj.ini

C:\WINDOWS\system32\ckxpfibk.ini

C:\WINDOWS\system32\gmbnheom.ini

C:\WINDOWS\system32\dfwuwysm.ini

C:\WINDOWS\system32\dhojlcin.ini

C:\WINDOWS\system32\evgmhqep.ini

C:\WINDOWS\system32\ykxiunup.ini

C:\WINDOWS\system32\ebobnher.ini

C:\WINDOWS\system32\ltswchxr.ini

C:\WINDOWS\system32\hybcxqhs.ini

C:\WINDOWS\system32\cmfkvbpt.ini

C:\WINDOWS\system32\tbftwauu.ini

C:\WINDOWS\system32\axdifpov.ini

C:\WINDOWS\system32\ilnmp.bak1

C:\WINDOWS\system32\ilnmp.ini

C:\WINDOWS\system32\ilnmp.tmp

C:\WINDOWS\system32\oqtss.bak1

C:\WINDOWS\system32\oqtss.bak2

C:\WINDOWS\system32\oqtss.ini

C:\WINDOWS\system32\oqtss.ini2

C:\WINDOWS\system32\oqtss.tmp

C:\WINDOWS\system32\oqtss.bak1

C:\WINDOWS\system32\oqtss.bak2

C:\WINDOWS\system32\oqtss.ini

C:\WINDOWS\system32\oqtss.ini2

C:\WINDOWS\system32\oqtss.tmp

C:\WINDOWS\system32\sstqo.dll

C:\WINDOWS\system32\byxwwvw.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\WinAntiSpyware 2007

C:\Program Files\Common Files\WinAntiSpyware 2007\err.log

C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe

C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe

C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe

C:\Program Files\mantec~1

C:\Program Files\mantec~1\netdde.exe

C:\Program Files\outerinfo

C:\Program Files\outerinfo\OiUninstaller.exe

C:\Program Files\outerinfo\outerinfo.ico

C:\Program Files\outerinfo\Terms.rtf

C:\Program Files\WinAntiSpyware 2007

C:\Program Files\WinAntiSpyware 2007\fopnl.dll

C:\WINDOWS\retadpu1000272.exe

C:\WINDOWS\smgr.exe

C:\WINDOWS\system32\9_exception.nls

C:\WINDOWS\system32\drivers\ip6fw.sys

C:\WINDOWS\system32\j8241635.dll

C:\WINDOWS\system32\msxml3a.dll

C:\WINDOWS\system32\winhoo32.dll

C:\WINDOWS\system32\winsys64.exe

C:\WINDOWS\system32\wintsvcc.exe

C:\WINDOWS\system32\wnsxs~1

D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007

D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr

D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1\d?xplore.exe

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007

D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007\Logs\update.log

D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon

D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\domains.txt

D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\log.txt

D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon

D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt

D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_RUNTIME

 

 

((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))

 

 

No new files created in this timespan

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-20 19:38:51 -------- d-----w C:\Program Files\Common Files\PestPatrol

2007-06-16 15:07:46 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-16 10:41:18 -------- d-----w C:\Program Files\Cheat Engine

2007-06-02 15:10:31 -------- d-----w C:\Program Files\Ares

2007-06-02 10:15:30 -------- d-----w C:\Program Files\GWFreaks

2007-06-01 13:38:15 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-05-31 18:48:47 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-05-21 17:32:19 -------- d-----w D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Ventrilo

2007-05-21 17:29:52 -------- d-----w C:\Program Files\Ventrilo

2007-05-21 17:29:33 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-16 09:38:34 -------- d-----w C:\Program Files\Disney

2007-05-11 17:56:13 -------- d-----w C:\Program Files\Common Files\Command Software

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-23 16:27:09 -------- d-----w C:\Program Files\Virtual Villagers

2007-04-22 19:01:26 -------- d-----w C:\Program Files\Yahoo! Games

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]

{3C060EA2-E6A9-4E49-A530-D4657B8C449A}=C:\Program Files\Virgin Broadband\PCguard\pkR.dll [2007-01-24 19:51]

{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Virgin Broadband\PCguard\FBHR.dll [2007-01-24 19:51]

{631F1A8B-DF14-8DE5-181B-838DB82D85C7}=C:\WINDOWS\system32\gffy.dll [2007-06-20 15:49]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]

{C37F396F-8B8B-DC70-8A7C-89ADACE924CE}=C:\WINDOWS\system32\wniuvjp.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-03-11 18:33 C:\WINDOWS\system32\VTTrayp.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-01-20 21:04 C:\WINDOWS\SOUNDMAN.EXE]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36]

"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 11:31]

"nwiz"="nwiz.exe" [2005-06-15 16:20 C:\WINDOWS\system32\nwiz.exe]

"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 15:12]

"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 19:53]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-29 07:17]

"udinajkv.exe"="D:\Documents and Settings\All Users\Application Data\udinajkv.exe" [2007-06-02 09:53]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-04-17 07:59]

"Henl"="C:\PROGRA~1\MANTEC~1\netdde.exe" []

"Mwlqls"="D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" [2005-05-10 13:31]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]

C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=wbsys.dll

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-22 20:21:06

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

**************************************************************************

 

Completion time: 2007-06-22 20:22:01 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-22 20:21

 

--- E O F ---

 

 

 

 

HJT:

 

Logfile of HijackThis v1.99.1

Scan saved at 20:24, on 2007-06-22

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\qmibjrmk.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\apps\ABoard\ABoard.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\Program Files\QuickTime\qttask.exe

D:\Documents and Settings\All Users\Application Data\udinajkv.exe

C:\Program Files\blueyonder IST\bin\mpbtn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: (no name) - {631F1A8B-DF14-8DE5-181B-838DB82D85C7} - C:\WINDOWS\system32\gffy.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb

O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"

O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: DomainService - - C:\WINDOWS\system32\qmibjrmk.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

 

 

 

 

thnakyou.

Share this post


Link to post
Share on other sites

  • Download RogueRemover by malwarebytes.org from here
  • Double-click on rr-free-setup.exe to start the installation of RogueRemover
  • Click Next
  • Click I agree
  • Click Install
  • Untick Show Readme
  • Click Finish
  • This will now launch RogueRemover
  • Close the help window
  • Click Check for updates
  • If there are any updates found click Download
  • Wait for any updates to finish downloading/installing, then click Close in the update window
  • Click on Scan
  • If nothing is found, then close RogueRemover
  • If RogueRemover did find something, it will present a list of detected items
  • Click on Save log
  • Click OK at the prompt
  • Click Remove selected
  • Click YES at the prompt
  • Wait for removal to complete & then close RogueRemover
  • Use notepad to open this file
    • C:\Program Files\RogueRemover\RRLog******.txt

    Post a new HJT log and let me know how your computer is running.

     

    Logs to include in your reply

    RogueRemover log

    HJT

Share this post


Link to post
Share on other sites

Malwarebytes' RogueRemover

Malwarebytes ©2007 http://www.malwarebytes.org

5458 total fingerprints loaded.

 

Loading database ...

Expanding environmental variables ...

 

Scanning files ... [ 100% ].

Scanning folders ... [ 100% ].

Scanning registry keys ... [ 100% ].

Scanning registry values ... [ 100% ].

 

RogueRemover has detected rogue antispyware components! Results below...

 

Type: File

Vendor: WinAntiVirus 2006

Location: C:\WINDOWS\system32\drivers\FOPN.sys

Selected for removal: Yes

 

Type: Folder

Vendor: WinAntiVirus 2006

Location: D:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006

Selected for removal: Yes

 

Type: Registry Key

Vendor: WinAntiVirus 2006

Location: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FOPN

Selected for removal: Yes

 

Type: Registry Key

Vendor: WinAntiVirus 2006

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FOPN

Selected for removal: Yes

 

RogueRemover has found the objects above.

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:22, on 2007-07-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\apps\ABoard\ABoard.exe

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\Program Files\QuickTime\qttask.exe

D:\Documents and Settings\All Users\Application Data\udinajkv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\Documents and Settings\James.main\Desktop\TheKernelSR.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Xfire\xfire.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: (no name) - {631F1A8B-DF14-8DE5-181B-838DB82D85C7} - C:\WINDOWS\system32\gffy.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll (file missing)

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb

O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)

O23 - Service: PCguard Firewall (RP_FWS) - Unknown owner - C:\Program Files\Virgin Broadband\PCguard\fws.exe (file missing)

Share this post


Link to post
Share on other sites

Please help me to help me to help you extreme182. I asked you for an update on how your PC was now performing and you did not answer. Kindly leave me an update at the end of your next post.

 

File::
C:\gfrlv.exe
C:\WINDOWS\g438812.exe
C:\WINDOWS\system32\cgpusmxd.exe
C:\WINDOWS\system32\ddnockip.exe
C:\WINDOWS\system32\enjgtyxb.exe
C:\WINDOWS\system32\eutgufha.exe
C:\WINDOWS\system32\fcyxcfet.exe
C:\WINDOWS\system32\gdkuivrn.exe
C:\WINDOWS\system32\hbactjaw.exe
C:\WINDOWS\system32\hjgaediy.exe
C:\WINDOWS\system32\msvcrtd.exe
C:\WINDOWS\system32\nlcyyptc.exe
C:\WINDOWS\system32\onevbvwt.exe
C:\WINDOWS\system32\qmibjrmk.exe
C:\WINDOWS\system32\qsdpmduw.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\swhnokpi.exe
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\uafdbyji.exe
C:\WINDOWS\system32\wquwkoer.exe
C:\WINDOWS\system32\xdufoiwc.exe
C:\WINDOWS\system32\xxewgkhn.exe
C:\WINDOWS\system32\gffy.dll
C:\WINDOWS\system32\hdvirffo.dll
C:\WINDOWS\system32\ktsidwcn.dll
C:\WINDOWS\system32\M1achardks.dll
D:\DOCUME~1\ALLUSE~1\APPLIC~1\svchost.exe
D:\DOCUME~1\ALLUSE~1\APPLIC~1\udinajkv.exe

Folder::
C:\WINDOWS\system32\pmcubosf

 

Please copy the contents above into a Notepad document and save it as ComboFix-do.txt

Save it to the Desktop and then drag it onto ComboFix.exe(as shown below) and it will automatically start running.

 

Combo-Do.gif

A log will be created, please post it in your next post.

 

 

Open up HijackThis, do a System Scan and select the following entries(if present)

O2 - BHO: (no name) - {631F1A8B-DF14-8DE5-181B-838DB82D85C7} - C:\WINDOWS\system32\gffy.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll (file missing)

O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe

O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb

O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"

Press Fix checked and close the program.

 

 

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Please go to www.virustotal.com and upload this file

C:\WINDOWS\system32\The Matrix Trilogy.scr and scan it. Then please past the results of the scan into your next post.

 

Post a new HJT log and let me know how your computer is running.

 

Logs to include in your reply

ComboFix-do log

HJT

Dr.WebCureIT

VirusTotal results

Edited by EnigmaChick

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0