5 Trojans keep taking me to partypoker.com Need help cleaning out

[mauserme]

Oh man.  I reran SUPERAntiSpyware because I had a popup asking about updates and I now have a bunch of things popping up.  I'll post them as soon as the spyware finishes scanning my files.   

Do you mean pop ups on your screen or just lots of detections in SuperAntiSpyware?

The cookies in your log are not a problem.  And we will deal with the System Volumes detection a bit later on.  These will not be difficult.

If you haven't already downloaded OTMoveIt please do, then double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\nkdsregs.exe
C:\Program Files\svhost
C:\Program Files\poolsv
C:\WINDOWS\poolsv.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with new ComboFix and Hijack logs.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also, please upload the following file to Virus Total for analysis and post the results

C:\WINDOWS\system32\kwinlodt.exe

[brenda31]

I'm sorry.  I had meant a lot of pop ups on the spyware.

I have ran the OTMoveIt and copied and moved the files you asked me to.  If I understand right, I should re run the Combofix and HiJackThis?

[brenda31]

File/Folder C:\WINDOWS\system32\winpfz32.sys not found.
C:\WINDOWS\system32\nkdsregs.exe moved successfully.
C:\Program Files\svhost moved successfully.
C:\Program Files\poolsv moved successfully.
C:\WINDOWS\poolsv.exe moved successfully.
 
Created on 06-20-2007 21:45:45

[mauserme]

First copy the contents of the Results window in OTMoveIt and past them here, then re-run ComboFix and HijackThis (in that order).

BTW, one of the files I saw is a back door trojan that could be capable of stealing passwords, etc.  If you do any on-line banking or other finanacial transactions on this computer you should  contact your bank, change passwords, etc.  But do this from a clean computer.


EDIT:  Don't forget to upload this to Virus Total

C:\WINDOWS\system32\kwinlodt.exe

 

[brenda31]

Logfile of HijackThis v1.99.1
Scan saved at 22:08, on 2007-06-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Airlink101\AWLC4030\WLService.exe
C:\Program Files\Airlink101\AWLC4030\WLanCfgAG.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Brenda Mayorga\Desktop\OTMoveIt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176249475250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176249440859
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Super G Wireless Cardbus Service - Unknown owner - C:\Program Files\Airlink101\AWLC4030\WLService.exe

[brenda31]

I did the OTMoveIt followed by the Combofix and then the hijackthis, however I cannot find the log for the Combofix.

[mauserme]

Did it overwrite your previous log?

[brenda31]

I believe this is the correct combofix log

ComboFix 07-06-18.2
"Brenda Mayorga" - 2007-06-19 20:01:22 - Service Pack 2  NTFS 


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe


(((((((((((((((((((((((((   Files Created from 2007-05-20 to 2007-06-20  )))))))))))))))))))))))))))))))


2007-06-19 19:58   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-19 04:05   192,602   --a------   C:\WINDOWS\system32\kwinlodt.exe
2007-06-18 13:35   932   --a------   C:\WINDOWS\system32\winpfz32.sys
2007-06-18 13:31   191,006   --a------   C:\WINDOWS\system32\nkdsregs.exe
2007-06-17 00:21   <DIR>   d--------   C:\Program Files\svhost
2007-06-17 00:20   <DIR>   d--------   C:\Program Files\poolsv
2007-06-17 00:16   36,352   --a------   C:\WINDOWS\poolsv.exe
2007-06-17 00:14   0   -rahs----   C:\MSDOS.SYS
2007-06-17 00:14   0   -rahs----   C:\IO.SYS
2007-06-15 23:45   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-15 23:29   <DIR>   d--------   C:\Program Files\Yahoo!
2007-06-14 13:01   <DIR>   d--------   C:\DOCUME~1\BRENDA~1\APPLIC~1\Snapfish
2007-06-13 16:24   <DIR>   d--------   C:\DOCUME~1\BRENDA~1\APPLIC~1\IMVU


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 07:09:46   --------   d-----w   C:\Program Files\Messenger
2007-06-09 05:52:17   --------   d-----w   C:\DOCUME~1\BRENDA~1\APPLIC~1\AdobeUM
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-14 22:17:57   --------   d-----w   C:\DOCUME~1\BRENDA~1\APPLIC~1\Viewpoint
2007-05-09 12:14:32   --------   d-----w   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 03:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{7FE07CC5-E966-49EB-9D62-EB3B69656283}=C:\Program Files\Messenger\meqot43855.dll [2007-06-14 06:54]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 05:36]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 18:04]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 11:28]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-29 08:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[brenda31]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


Contents of the 'Scheduled Tasks' folder
2007-05-14 12:29:00  C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-06-20 01:22:41  C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 20:21:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???|?p? ???B????hLC?

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-19 20:26:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 20:25

   --- E O F ---
((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cayjqija.dll
C:\WINDOWS\system32\ewscknwt.dll
C:\WINDOWS\system32\gjidsoiv.dll
C:\WINDOWS\system32\kimmrbbf.dll
C:\WINDOWS\system32\ajiqjyac.ini
C:\WINDOWS\system32\twnkcswe.ini
C:\WINDOWS\system32\viosdijg.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\klnmp.tmp
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\pmnlk.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\svhost.exe


(((((((((((((((((((((((((   Files Created from 2007-05-20 to 2007-06-20  )))))))))))))))))))))))))))))))

[mauserme]

I believe this is the correct combofix log

ComboFix 07-06-18.2
"Brenda Mayorga" - 2007-06-19 20:01:22 - Service Pack 2  NTFS 

No, that one has yesterday's date ...

[brenda31]

This is what I got when I tried to upload the file to virustotal


0 bytes size received / Se ha recibido un archivo vacio

[brenda31]

That is the only log I see, except for one called ComboFix-quarantined files, but it has yesterday's date.

Should I rerun the ComboFix and HiJackThis again in that order?

[mauserme]

This is what I got when I tried to upload the file to virustotal


0 bytes size received / Se ha recibido un archivo vacio

OK, we're going to get rid of that one too but give me a little time with the HJT log.

In the mean time see if you can find the most recent ComboFix log.

EDIT:

Should I rerun the ComboFix and HiJackThis again in that order?

Just ComboFix this time, but delete the old log first.

[mauserme]

There was a program file created on 19 June related to a program called NirCmd.  Here is a description

http://www.nirsoft.net/utils/nircmd.html

Are you aware of this program on your computer?


EDIT:  Your HJT log looks good.

[brenda31]

I've ran combofix twice and cannot find the log.  I did delete yesterday's.
I only find the combofix quarantined files.

Code: [Select]

2007-06-17 00:21      38400    --a------    C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-06-17 00:46      285273    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnlk.dll.vir
2007-06-17 00:49      1808184    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak1.vir
2007-06-17 00:49      62516    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kimmrbbf.dll.vir
2007-06-17 00:51      124436    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gjidsoiv.dll.vir
2007-06-17 01:37      921779    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\viosdijg.ini.vir
2007-06-18 00:58      124436    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cayjqija.dll.vir
2007-06-18 00:59      345    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ajiqjyac.ini.vir
2007-06-18 13:53      1811116    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.tmp.vir
2007-06-19 00:54      1813276    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak2.vir
2007-06-19 02:30      124436    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ewscknwt.dll.vir
2007-06-19 19:59      901924    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\twnkcswe.ini.vir
2007-06-19 20:10      1812605    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.ini2.vir
2007-06-19 20:12      104    --a------    C:\Qoobox\Quarantine\catchme.log


Folder PATH listing
Volume serial number is 074F-92BD
C:\QOOBOX
\---Quarantine
    |   catchme.log
    |   
    +---C
    |   +---Program Files
    |   |   \---Common Files
    |   \---WINDOWS
    |       |   svhost.exe.vir
    |       |   
    |       \---system32
    |               ajiqjyac.ini.vir
    |               cayjqija.dll.vir
    |               ewscknwt.dll.vir
    |               gjidsoiv.dll.vir
    |               kimmrbbf.dll.vir
    |               klnmp.bak1.vir
    |               klnmp.bak2.vir
    |               klnmp.ini2.vir
    |               klnmp.tmp.vir
    |               pmnlk.dll.vir
    |               twnkcswe.ini.vir
    |               viosdijg.ini.vir
    |               
    \---Registry_backups