Badly infected lappy, Winxp, dont want to reinstall. HELP ME
http://www.techspot.com/vb/showthread.php?p=587627&posted=1#post587627
That's the forum about the issue, it has everything I've tried so far. I am about to go home and get my livecd (it's a friend's computer) to rm a few files that I can't touch whilst in XP.
If you can read the logs I posted there ^^ and help me out it would be great. I do not want to reinstall; I remember zephyr or korg saying that is NEVER a resort, and I quite agree… However, this has taken a lot of my time, it's getting annoying, and the only thing I"ve gotten out of it so far is a free meal :D
(a very good meal, however ^_^ )
So, if you can help, thanks!
@thors should have come here first buddy. Redo the hjt and combofix files and post them here or pm me. You can't view your files on techspot and I will not join that site. Won't get into that now. (noobs). Let me know.
ComboFix 08-03-05.1 - Jenny3.0 2008-03-07 9:37:38.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.558 [GMT -6:00] Running from: C:\Documents and Settings\Jenny3.0\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
C:\WINDOWS\BM0b8e15f7.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\awvvv.dll C:\WINDOWS\system32\kvbqpbhw.dll C:\WINDOWS\system32\kvsphoco.ini C:\WINDOWS\system32\lspqrdrq.dll C:\WINDOWS\system32\mpcuaifp.dll C:\WINDOWS\system32\nnfjmdgk.dll C:\WINDOWS\system32\ocohpsvk.dll C:\WINDOWS\system32\poowqsbw.dll C:\WINDOWS\system32\ssqnnnk.dll C:\WINDOWS\system32\twfuklut.dll C:\WINDOWS\system32\vpmoofho.dll C:\WINDOWS\system32\vvvwa.ini C:\WINDOWS\system32\vvvwa.ini2 C:\WINDOWS\system32\whbpqbvk.ini C:\WINDOWS\system32\wswiuoph.dll
. ((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 ))))))))))))))))))))))))))))))) .
2008-03-07 09:30 . 2008-03-07 09:30 <DIR> d–––– C:\Documents and Settings\Jenny3.0\Application Data\MailFrontier 2008-03-07 09:24 . 2008-03-07 09:47 213,280 –ahs–– C:\WINDOWS\system32\drivers\fidbox.dat 2008-03-07 09:24 . 2008-03-07 09:44 3,860 –ahs–– C:\WINDOWS\system32\drivers\fidbox.idx 2008-03-07 08:20 . 2008-03-07 08:20 <DIR> d–––– C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-03-07 08:20 . 2007-11-14 16:05 75,248 –a—— C:\WINDOWS\zllsputility.exe 2008-03-07 08:20 . 2004-04-27 04:40 11,264 –a—— C:\WINDOWS\system32\SpOrder.dll 2008-03-07 08:20 . 2008-03-07 09:46 4,212 —h—– C:\WINDOWS\system32\zllictbl.dat 2008-03-07 08:19 . 2008-03-07 08:19 <DIR> d–––– C:\Program Files\Zone Labs 2008-03-07 08:18 . 2008-03-07 09:30 <DIR> d–––– C:\WINDOWS\Internet Logs 2008-03-06 16:31 . 2008-03-06 16:34 <DIR> d–––– C:\WINDOWS\.jagex_cache_32 2008-03-06 10:29 . 2008-03-06 10:29 1,308,018 —hs–– C:\WINDOWS\system32\tbnvonyb.ini 2008-03-06 09:31 . 2008-03-07 07:23 0 –a—— C:\adware.exe 2008-03-05 18:35 . 2008-03-05 18:35 <DIR> d–––– C:\Deckard 2008-03-05 17:51 . 2008-03-05 17:51 <DIR> d–––– C:\VundoFix Backups 2008-03-05 17:37 . 2008-03-05 17:37 <DIR> d–––– C:\Program Files\Spybot - Search & Destroy 2008-03-05 17:37 . 2008-03-06 16:23 <DIR> d–––– C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-05 17:34 . 2008-03-05 17:34 <DIR> d–––– C:\Documents and Settings\Jenny3.0\Application Data\Grisoft 2008-03-05 17:22 . 2008-03-05 17:22 <DIR> d–––– C:\Program Files\Lavasoft 2008-03-05 17:22 . 2008-03-05 17:22 <DIR> d–––– C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-05 17:19 . 2008-03-05 17:19 <DIR> d–––– C:\Program Files\Trend Micro 2008-03-05 17:05 . 2008-03-05 17:05 <DIR> d–––– C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-05 17:05 . 2007-05-30 06:10 10,872 –a—— C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-03-05 16:55 . 2008-03-05 16:55 <DIR> d–––– C:\Documents and Settings\Jenny3.0\Application Data\Sonic 2008-03-05 16:55 . 2008-03-05 16:55 <DIR> d–––– C:\Documents and Settings\Jenny3.0\Application Data\Leadertech 2008-03-04 22:23 . 2008-03-04 22:23 1,302,838 —hs–– C:\WINDOWS\system32\dwjfoaxm.ini 2008-03-04 21:32 . 2008-03-04 21:37 <DIR> d–––– C:\WINDOWS\system32\ActiveScan 2008-03-04 21:32 . 2008-03-04 21:35 30,590 –a—— C:\WINDOWS\system32\pavas.ico 2008-03-04 21:32 . 2008-03-04 21:35 2,550 –a—— C:\WINDOWS\system32\Uninstall.ico 2008-03-04 21:32 . 2008-03-04 21:35 1,406 –a—— C:\WINDOWS\system32\Help.ico 2008-03-04 21:15 . 2007-10-10 17:55 193,024 –a—— C:\WINDOWS\system32\SET266.tmp 2008-03-04 21:00 . 2008-03-04 21:00 1,302,838 —hs–– C:\WINDOWS\system32\ensecyjs.ini 2008-03-04 19:54 . 2007-10-10 17:56 1,159,680 –a—— C:\WINDOWS\system32\SET262.tmp 2008-03-04 19:54 . 2007-10-10 17:56 824,832 –a—— C:\WINDOWS\system32\SET260.tmp 2008-03-04 19:54 . 2007-10-10 17:55 105,984 –a—— C:\WINDOWS\system32\SET263.tmp 2008-03-04 19:52 . 2007-08-13 18:54 33,792 –a–c— C:\WINDOWS\system32\dllcache\custsat.dll 2008-03-04 19:43 . 2008-03-04 19:43 <DIR> d–––– C:\ea7a20db18229096467479 2008-03-04 19:26 . 2008-03-04 19:26 1,302,838 —hs–– C:\WINDOWS\system32\ujkohjwa.ini 2008-03-04 19:17 . 2008-03-04 19:17 41,984 –a—— C:\WINDOWS\system32\efcbbaw.dll.vir 2008-03-04 17:54 . 2008-03-06 16:21 <DIR> d–––– C:\Program Files\EliteSwitch 2008-03-03 21:32 . 2008-03-03 21:32 <DIR> d–––– C:\Documents and Settings\Jenny3.0\Application Data\SUPERAntiSpyware.com 2008-03-03 21:04 . 2008-03-07 09:31 <DIR> d–––– C:\Documents and Settings\Jenny3.0\amsn 2008-03-03 20:41 . 2008-03-03 20:41 <DIR> d–––– C:\Documents and Settings\Jenny3.0\Application Data\Talkback 2008-03-03 20:31 . 2004-11-23 14:18 <DIR> d–––– C:\Documents and Settings\Jenny3.0\Application Data\Sony Corporation 2008-03-03 19:51 . 2008-03-06 16:29 <DIR> d–––– C:\Program Files\Java 2008-03-03 19:51 . 2008-03-03 19:51 <DIR> d–––– C:\Program Files\Common Files\Java 2008-03-02 16:14 . 2008-02-22 02:33 69,632 –a—— C:\WINDOWS\system32\javacpl.cpl 2008-03-02 15:54 . 2008-03-02 15:54 32,764 –a—— C:\WINDOWS\17PHolmes1535.exe 2008-03-02 13:42 . 2008-03-02 13:42 <DIR> d–––– C:\Program Files\ESET 2008-03-02 13:10 . 2008-03-02 13:10 <DIR> d–––– C:\Documents and Settings\All Users\Application Data\ESET 2008-02-28 16:07 . 2008-03-06 16:24 49,167 -r-hs–– C:\WINDOWS\live.messenger.com 2008-02-27 20:31 . 2008-02-27 20:31 <DIR> d–––– C:\Documents and Settings\All Users\Application Data\SwiftKit 2008-02-26 22:03 . 2008-02-26 22:03 <DIR> d–h—– C:\WINDOWS\PIF 2008-02-24 14:36 . 2008-02-24 21:20 724,992 —hs–– C:\WINDOWS\system32\svc.exe 2008-02-11 22:10 . 2008-02-28 16:13 <DIR> d–––– C:\Program Files\aMSN 2008-02-08 17:51 . 2008-02-08 17:51 <DIR> d–––– C:\Program Files\Alwil Software 2008-02-07 22:09 . 2008-02-07 22:08 846,848 -r-hs–– C:\WINDOWS\wkssvc.exe
. (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-06 04:29 82,432 ––a-w C:\WINDOWS\system32\IEDFix.exe 2008-03-05 23:43 4,686 ––a-w C:\WINDOWS\system32\tmp.reg 2008-03-05 23:21 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-05 21:40 ——— d—–w C:\Program Files\SUPERAntiSpyware 2008-03-02 05:12 86,016 ––a-w C:\WINDOWS\system32\VACFix.exe 2008-02-28 02:51 ——— d—–w C:\Program Files\SwiftSwitch 2008-02-17 16:42 ——— d–h–w C:\Program Files\InstallShield Installation Information 2008-01-28 02:35 ——— d—–w C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar2 2007-12-14 17:32 12,632 ––a-w C:\WINDOWS\system32\lsdelete.exe 2007-12-07 02:21 124,928 ––a-w C:\WINDOWS\system32\advpack(2).dll .
((((((((((((((((((((((((((((( snapshot@2008-03-05_18.30.59.21 ))))))))))))))))))))))))))))))))))))))))) .
- 2008-03-06 22:34:52 98,678 ––a-w C:\WINDOWS\.jagex_cache_32\loginapplet\cache-1965029828.dat
- 2007-07-19 21:10:28 127,768 ––a-w C:\WINDOWS\system32\drivers\klif.sys
- 2007-09-25 04:30:28 135,168 ––a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 07:23:35 135,168 ––a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 04:30:30 135,168 ––a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:23:39 135,168 ––a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 05:31:42 139,264 ––a-w C:\WINDOWS\system32\javaws.exe
- 2008-02-22 08:33:32 139,264 ––a-w C:\WINDOWS\system32\javaws.exe
- 2007-11-14 22:04:46 796,048 ––a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
- 2007-11-14 22:04:52 83,432 ––a-w C:\WINDOWS\system32\vsdata.dll
- 2007-11-14 22:05:16 394,952 ––a-w C:\WINDOWS\system32\vsdatant.sys
- 2007-11-14 22:04:52 157,160 ––a-w C:\WINDOWS\system32\vsinit.dll
- 2007-11-14 22:04:52 103,912 ––a-w C:\WINDOWS\system32\vsmonapi.dll
- 2007-11-14 22:04:52 275,944 ––a-w C:\WINDOWS\system32\vspubapi.dll
- 2007-11-14 22:04:52 71,144 ––a-w C:\WINDOWS\system32\vsregexp.dll
- 2007-11-14 22:04:54 472,552 ––a-w C:\WINDOWS\system32\vsutil.dll
- 2007-11-14 22:04:54 46,568 ––a-w C:\WINDOWS\system32\vswmi.dll
- 2007-11-14 22:04:54 99,816 ––a-w C:\WINDOWS\system32\vsxml.dll
- 2007-11-14 22:04:56 83,432 ––a-w C:\WINDOWS\system32\zlcomm.dll
- 2007-11-14 22:04:56 71,144 ––a-w C:\WINDOWS\system32\zlcommdb.dll
- 2007-11-14 22:04:44 370,208 ––a-w C:\WINDOWS\system32\ZoneLabs\av.dll
- 2007-05-31 06:03:30 65,248 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
- 2006-06-30 20:47:36 21,568 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
- 2008-03-07 15:45:56 23,324 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-05-31 06:03:16 77,824 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
- 2007-05-31 06:03:16 110,592 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
- 2007-05-31 06:03:16 331,776 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
- 2007-05-31 06:03:16 38,400 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
- 2007-07-19 21:10:32 110,360 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
- 2007-07-19 21:10:32 186,128 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
- 2007-05-31 06:03:48 110,360 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
- 2007-07-19 21:10:28 127,768 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
- 2007-05-31 06:03:50 45,056 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
- 2006-09-20 05:12:14 208,960 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
- 2007-09-12 03:09:16 274,432 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
- 2006-12-20 00:13:52 1,093,632 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
- 2007-05-31 06:03:20 548,864 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
- 2007-05-31 06:03:20 626,688 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
- 2007-05-31 06:03:18 184,320 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
- 2007-05-31 06:03:22 90,112 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
- 2007-09-12 03:09:16 135,168 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
- 2006-12-20 00:13:52 200,704 ––a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
- 2007-11-14 22:04:44 99,816 ––a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
- 2004-01-30 18:35:08 813,568 ––a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
- 2007-11-14 22:04:46 128,480 ––a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
- 2007-11-14 22:04:46 38,376 ––a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
- 2007-11-14 22:04:46 321,016 ––a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
- 2007-11-14 22:05:18 288,144 ––a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
- 2007-11-14 22:05:18 152,976 ––a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
- 2007-11-14 22:05:18 26,000 ––a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
- 2007-11-14 22:05:18 1,361,296 ––a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
- 2007-11-14 22:05:20 71,056 ––a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
- 2007-11-14 22:06:34 30,184 ––a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
- 2007-11-14 22:06:36 30,216 ––a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
- 2007-10-19 02:18:38 714,208 ––a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
- 2007-10-19 02:18:38 787,936 ––a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
- 2007-11-14 22:04:48 173,544 ––a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
- 2007-01-11 17:12:08 2,432,259 ––a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2007-10-19 02:18:40 1,500,640 ––a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
- 2007-10-19 02:18:44 51,176 ––a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
- 2007-11-14 22:04:50 456,168 ––a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
- 2007-11-14 22:06:36 214,528 ––a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
- 2007-11-14 22:06:36 3,266,040 ––a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
- 2006-09-05 02:59:14 503,875 ––a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
- 2007-10-11 22:50:32 832,984 ––a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
- 2007-11-14 22:05:06 144,936 ––a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
- 2007-01-11 23:31:06 286,787 ––a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
- 2007-11-14 22:04:52 108,008 ––a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
- 2007-11-14 22:04:52 83,432 ––a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
- 2007-11-14 22:05:06 75,304 ––a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
- 2007-11-14 22:04:52 2,029,032 ––a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
- 2007-11-14 22:04:54 1,361,384 ––a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
- 2007-11-14 22:04:54 239,080 ––a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
- 2007-01-11 17:12:08 2,432,259 ––a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
- 2007-11-14 22:04:56 177,640 ––a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
- 2007-11-14 22:04:56 79,344 ––a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
- 2007-11-14 22:04:58 382,440 ––a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
- 2007-11-14 22:04:58 120,296 ––a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
- 2007-11-14 22:05:00 1,086,952 ––a-w C:\WINDOWS\system32\zpeng24.dll . – Snapshot reset to current date – . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22342B44-5B98-4B30-9D53-C182AD8DF217}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93747BC3-6702-4137-8E3A-19C2CFEFAE3B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA5869D6-AA4A-49A5-8478-A78FF653C996}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c19a84c5-bf36-4527-b833-b33f8eb9fd9b}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "Tucan"="G:\Tuneup\virtumonde\AntiRootkit\PAVARK.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Hcontrol"="C:\WINDOWS\ATK0100\Hcontrol.exe" [2004-07-19 15:05 61440] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 18:21 114688] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 23:10 344064] "SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2004-10-21 21:12 184320] "Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2004-10-26 00:20 167936] "ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 16:12 32768] "VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-09-21 20:54 151552] "VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 23:08 28672] "VMConsole.exe"="C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe" [2004-06-23 21:37 557056] "F-StopW"="C:\Program Files\FSI\F-Prot\F-StopW.EXE" [2003-06-11 16:10 290816] "FRISK FP-Scheduler"="C:\Program Files\FSI\F-Prot\F-Sched.exe" [2003-04-07 10:47 323584] "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-08 16:13 1410304] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "MSN Messenger"="live.messenger.com" [2008-03-06 16:24 49167 C:\WINDOWS\live.messenger.com]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnnnk]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] VESWinlogon.dll 2004-10-27 17:40 73728 C:\WINDOWS\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\aMSN\\bin\\wish.exe"= "C:\\WINDOWS\\system32\\rundll32.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\SwiftSwitch\\EliteSwitch.exe"= "C:\\Program Files\\EliteSwitch\\EliteSwitch\\EliteSwitch.exe"=
R0 FPA_RTP;FPA_RTP;C:\WINDOWS\system32\Drivers\FSTOPW.SYS [2003-06-11 16:09] R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-08 16:17] R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2002-08-20 13:59] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-16 00:41]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - wscript go.vbs
. Contents of the 'Scheduled Tasks' folder "2005-10-31 18:46:45 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe "2005-10-31 18:46:46 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe "2005-10-31 18:46:46 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe .
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-07 09:46:24 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully hidden files: 0
.
———————— Other Running Processes ————————
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\PROGRA1\ZONELA1\ZONEAL1\MAILFR1\mantispm.exe
.
. Completion time: 2008-03-07 9:49:45 - machine was rebooted [Jenny3.0] ComboFix-quarantined-files.txt 2008-03-07 15:49:34 ComboFix2.txt 2008-03-06 00:32:53 . 2008-03-05 05:41:00 — E O F —
I know there are some baddies in 'Valued Customer' in docs and setts. I'm pretty sure it's called eraseme.exe, or something very similar. I could not boot into gentoo from a cd, it failed during the boot process… first time ever, i dunno why but not important now. That dir is unaccessable, valued customer is not a user, and admin can't get into it. Also says it's empty, but i know it contains something. I'm trying to get you the HJT now
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:35, on 2008-03-07 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe C:\Program Files\Sony\VAIO Event Service\VESMgr.exe C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe C:\Program Files\FSI\F-Prot\F-StopW.EXE C:\Program Files\FSI\F-Prot\F-Sched.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\aMSN\bin\wish.exe C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Firefox\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\Crusty.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\system32\ssqnnnk.dll
O2 - BHO: (no name) - {4FECE18E-B9C2-44B0-A974-FE810B3F319C} - C:\WINDOWS\system32\awvvv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA1\SPYBOT1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {93747BC3-6702-4137-8E3A-19C2CFEFAE3B} - (no file)
O2 - BHO: (no name) - {AA5869D6-AA4A-49A5-8478-A78FF653C996} - (no file)
O2 - BHO: (no name) - {c19a84c5-bf36-4527-b833-b33f8eb9fd9b} - (no file)
O2 - BHO: {e14570f3-a653-e55b-7ea4-c6b428d2aa8e} - {e8aa2d82-4b6c-4ae7-b55e-356a3f07541e} - C:\WINDOWS\system32\mpcuaifp.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [VMConsole.exe] C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe /windowmin
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM0b8e15f7] Rundll32.exe "C:\WINDOWS\system32\twfuklut.dll",s
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tucan] "G:\Tuneup\virtumonde\AntiRootkit\PAVARK.exe" /Monitor
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA1\MICROS3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA1\SPYBOT1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA1\SPYBOT1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143580234718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqnnnk - C:\WINDOWS\SYSTEM32\ssqnnnk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
– End of file - 12702 bytes
Ok, so for those of us who are marginally anti-techspot, what exactly is the prob? Won't boot? Not even into safe mode? What version and SP XP are u running?
Now reinstallation may not always be your first choice but if its that bad you may have to format and do a clean install. You may be able to repair it enough to burn your docs and pics to disc before hand though.
Have u had a Geeba.exe ageeb.exe or similar (vundofix?) as when i got one i had to reinstall at the end after tinkering for about 48 hours solid.
whoever said reinstall xp, please leave this thread. NEVER give up; NEVER reinstall (unless you've got bad hdd sectors, a nonexistent registry, and the only option is reformatting… but that's another story)
XP Pro SP2 (build 2600 i think) viao laptop at 1.86GHz, 1024MB ram, boots fine, runs fine
The problems we've had so far involve simply high cpu overhead from the virus/virii and a problem with her MSN account with randomly sendin gviral messages.
Her father wanted to give the lappy to her uncle to just reinstall windows. Reinstalling is NOT an option because it would take ages to get everything reinstalled, and there is a program (F-prot antivirus) that her dad does NOT want to get rid of… never heard of it and i trust NOD32 better, tbh.
Thanks korg, as usual you're willing to help and that means a lot to me. Thanks for your time.
[edit] I have run vundofix and combofix, but whatever there is on her computer keeps repairing itself at boot. If anyone knows a version of nix on LiveCD that has built-in NTFS support, that would be great.
umm… umm… i knwo how to use taskman, dont talk to me like i'm stupid please. Whatever it is does not show up in taskman, and it's not always high, but the computer definately is much slower than it should be and occasionally there are periods of unnaturally high cpu overhead 9roughly 10% without anything running, and its not just windows. The most logical solution is that there are hidden processes; we all know taskman doesn't show everything :\
I'm sorry I offended you; I meant no harm. However, if you insist, treat me how you will; I meant no offense. I was in no way trying to be ungrateful. I simply assumed that others would assume that I had already looked for that; I've obviously tried various things to figure out exactly what the problem is, and it is just logical that I would have searched for offending processes. If you have nothing constructive to say, please don't waste your time. Thanks.
Ok Thors, Heres what we do, Download Brute Force Uninstaller as we might need it. Also get VundoFix 7.00 if you don't have it yet. Boot that baby up in safe mode and delete these files:(If they won't delete use the bruteforcer) These are common files I have for this virus, Some may not be there.
C:\WINDOWS\winlogin.exe (NOT winlogon which is part of windows) C:\WINDOWS\drone.exe C:\WINDOWS\a.exe C:\WINDOWS\i.sys C:\WINDOWS\rofl.sys C:\WINDOWS\wkssvc.exe C:\WINDOWS\eraseme.exe or any eraseme file (ex:eraseme_25887.exe) C:\WINDOWS\BM0b8e15f7.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\awvvv.dll C:\WINDOWS\system32\kvbqpbhw.dll C:\WINDOWS\system32\kvsphoco.ini C:\WINDOWS\system32\lspqrdrq.dll C:\WINDOWS\system32\mpcuaifp.dll C:\WINDOWS\system32\nnfjmdgk.dll C:\WINDOWS\system32\ocohpsvk.dll C:\WINDOWS\system32\poowqsbw.dll C:\WINDOWS\system32\ssqnnnk.dll C:\WINDOWS\system32\twfuklut.dll C:\WINDOWS\system32\vpmoofho.dll C:\WINDOWS\system32\vvvwa.ini C:\WINDOWS\system32\vvvwa.ini2 C:\WINDOWS\system32\whbpqbvk.ini C:\WINDOWS\system32\wswiuoph.dll C:WINDOWS\system32\winwil32.dll C:\WINDOWS\system32\pmkjj.dll C:\WINDOWS\system32\jjkmp.ini C:\WINDOWS\system32\jjkmp.bak1 C:\WINDOWS\system32\vtsqo.dll C:\WINDOWS\system32\oqstv.ini C:\WINDOWS\system32\oqstv.bak1 C:\WINDOWS\system32\oqstv.bak2 C:\WINDOWS\system32\oqstv.ini2 C:\WINDOWS\system32\efcbbaw.dll.vir C:\WINDOWS\system32\svc.exe C:\WINDOWS\system32\ujkohjwa.ini C:\WINDOWS\system32\mpcuaifp.dll C:\WINDOWS\system32\eraseme.exe (same as above)
Delete these registry entries:
BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\system32\ssqnnnk.dll BHO: (no name) - {4FECE18E-B9C2-44B0-A974-FE810B3F319C} - C:\WINDOWS\system32\awvvv.dll BHO: (no name) - {93747BC3-6702-4137-8E3A-19C2CFEFAE3B} BHO: (no name) - {AA5869D6-AA4A-49A5-8478-A78FF653C996} BHO: (no name) - {c19a84c5-bf36-4527-b833-b33f8eb9fd9b} - (no file) O2 - BHO: {e14570f3-a653-e55b-7ea4-c6b428d2aa8e} - {e8aa2d82-4b6c-4ae7-b55e-356a3f07541e} - C:\WINDOWS\system32\mpcuaifp.dll O4 - HKLM\..\Run: [BM0b8e15f7] Rundll32.exe "C:\WINDOWS\system32\twfuklut.dll",s
Reboot in SAFE MODE then run VundoFix, and combo fix. In that order. redoe your hjt list if you still have a problem. This one is a bitch to get rid of so be patient it might take a couple tries.
PS: Sorry it took so long to post back. We are having the worst snowstorm I've seen in a while. Couldn't even leave work till the plows came. <FUCK>
ah, you were right, i should have come here first. Her dad gave the lappy to her uncle to reformat today; she called me a while back. I've been working on this bitch for about a week and I guess he finally got a bit impatient. The biggest problem with that is that she'll probably only have a limited account now, but we might can solve that if we ever get physical access to the lappy when parents aren't at home.
Though, she said something about it being about time to buy her own… i can help out with that :D
Thanks anyway, mate. By the way, any specific sites you know where I can read up on some of these virii? I just google whatever a scanner comes up with, but if you know any databases I can read through periodically it would be pretty cool.
Thanks so much for your trouble. BTW, we got about .00001" of snow here :D didnt stick at all.