Virus and Pop Up Issues

[MareJordan]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24A41A0B-4D59-4FA3-86F6-A5EE3C482313}]
         C:\Program Files\Windows NT\mevojuliC:\WINDOWS\system32\v2\swdrv83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62179339-1920-4AED-A272-A889231DE4A5}]
         C:\Program Files\Windows NT\mevojuliC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"DW4"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-06 05:43]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe" [2006-06-21 19:30]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"QuickFinder Scheduler"="c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE" [1996-10-16 00:02]
"RCSystemTray"="C:\Program Files\Registry Cleaner\RCSystemTray.exe" [2006-11-28 15:18]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-17 13:58]
"NI.UGDC_0001_N122M2610"="c:\documents and settings\owner\application data\installer_en[1].exe" []
"TMT"="C:\WINDOWS\Gwang.exe" []
"64ced7fd"="C:\WINDOWS\system32\vjuvtfoi.dll" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PerfectPrint.LNK - C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE [2006-11-17 12:51:26]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Instant Update.lnk - C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe [2007-09-12 12:00:22]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]

[MareJordan]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
         AGRSMMSG.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
         ALCXMNTR.EXE
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2007-09-06 03:06   79224   --a------   C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
         C:\Program Files\BearShare\BearShare.exe /pause
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56   15360   --a------   C:\WINDOWS\system32\ctfmon.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
1999-10-10 10:00   41984   -----c---   C:\WINDOWS\CTRegRun.EXE
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
2005-11-07 15:49   601200   --a------   C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-03-27 02:34   172032   --a--c---   C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 17:04   52736   --a--c---   c:\windows\system\hpsysdrv.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 16:44   61440   --a------   C:\HP\KBD\KBD.EXE
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
         C:\Program Files\Logitech\Video\ISStart.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
         C:\Program Files\Logitech\Video\LogiTray.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
         C:\WINDOWS\system32\LVCOMSX.EXE
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
         C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2003-09-12 20:13   98304   --a--c---   C:\WINDOWS\system32\ps2.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
         C:\Program Files\QuickTime\qttask.exe -atboottime
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2003-11-03 17:50   221184   --a--c---   C:\WINDOWS\SMINST\RECGUARD.EXE
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-01-26 03:24   32881   --a--c---   C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
2003-10-29 10:17   135168   --a--c---   C:\Program Files\Multimedia Card Reader\shwicon2k.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
         C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
         C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
         VTTimer.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMX]
         C:\Program Files\WinMX\WinMX.exe -m
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpy]
         C:\Program Files\XoftSpy\XoftSpy.exe -s
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
         C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[MareJordan]

R1 UdfReadr;UdfReadr;C:\WINDOWS\system32\drivers\UdfReadr.sys
S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 04:17:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-04-15 21:04:29 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 21:22:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-07 21:23:45
C:\ComboFix2.txt ... 2007-12-07 21:16
.
   --- E O F ---

[MareJordan]

After running SAS ...  it tells me each time that I do run it .. These two file names show up each time:
  Trojan.Downloader-LDCORE
  Trojan.WinFixer

[oldman]

I'll give you few steps to do. please do them in order. If you have any problems, let me know. Just take your time.

Open hijackthis and run system scan only, place a check mark next to the following lines

O2 - BHO: (no name) - {24A41A0B-4D59-4FA3-86F6-A5EE3C482313} - C:\Program Files\Windows NT\mevojuliC:\WINDOWS\system32\v2\swdrv83122.exe.dll (file missing)
O2 - BHO: (no name) - {62179339-1920-4AED-A272-A889231DE4A5} - C:\Program Files\Windows NT\mevojuliC:\DOCUME~1\Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {F7ACDBCE-CDCB-4A5C-AAA2-9B28612DB6A5} - C:\WINDOWS\system32\ddccb.dll
O4 - HKLM\..\Run: [TMT] C:\WINDOWS\Gwang.exe
O4 - HKLM\..\Run: [64ced7fd] rundll32.exe "C:\WINDOWS\system32\vjuvtfoi.dll",b
O8 - Extra context menu item: &Search - ?p=ZU
O20 - AppInit_DLLs:  c:\windows\system32\ldcore.dll

Close all browsers/windows, click fix. Close HJT.


Please upload these files to www.virustotal.com  and post the results.

C:\WINDOWS\ms042771381691.exe





Please download ERUNT from, (it's a registry backup program)

http://www.larshederer.homepage.t-online.de/erunt/

and backup your registry


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\hg173.exe
C:\WINDOWS\system32\vjuvtfoi.dll
C:\WINDOWS\Gwang.exe
C:\WINDOWS\system32\fmwokixo.ini
C:\WINDOWS\system32\poxvlnmh.ini
C:\WINDOWS\system32\oclyfepm.ini
C:\WINDOWS\system32\evseffuq.ini
C:\WINDOWS\system32\tedqcoyv.ini
C:\WINDOWS\system32\npmfetef.tmp
C:\WINDOWS\system32\npmfetef.ini
C:\WINDOWS\system32\oyypgmcg.ini
C:\WINDOWS\system32\ioftvujv.ini




Folder::
C:\WINDOWS\system32\v2
C:\WINDOWS\system32\bmv2
C:\WINDOWS\system32\t21
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\daSgo06
C:\WINDOWS\system32\rMa02yy
C:\temp\bkR11
 


Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.

[MareJordan]

It's been hours sense I have been on the computer, and I left the computer running overnite too. I believe some things have changed! I was only able find 5 of the 7 items to fix with HJT. No longer on the new scan of HJT:

O2 - BHO: (no name) - {F7ACDBCE-CDCB-4A5C-AAA2-9B28612DB6A5} - C:\WINDOWS\system32\ddccb.dll

O20 - AppInit_DLLs:  c:\windows\system32\ldcore.dll

C:\WINDOWS\ms042771381691.exe



Do I need to resend a new log to you, to view, and start over?

[oldman]

Just complete the all steps and post the logs as requested. There is more living on your computer, and the fixes are designed to remove them.

The missing line may be normal. We'll see after you finish and post back.

edited for spelling 

[MareJordan]

Please download ERUNT from, (it's a registry backup program)

http://www.larshederer.homepage.t-online.de/erunt/

and backup your registry

I need help here please, I am insecured just what to download.. Please? Thanks

[oldman]

Sorry, the one you want is on the left. The download link is called server 1 ,2 0r 3.

[MareJordan]

I actually had that figured out ...  I chose Server 2 and I have WindowsXP. .. This page site is where I am confused. (I personally feel that I am not knowledgeable enough for this smart stuff!!)
 
 

[oldman]

You're doing fine. 

After you click server2, a download window should appear, click save.

In the next box that appear, make sure the top box (save in) is set to desktop, click save. To run the program, double click the file you have just downloaded.

[oldman]

Oh, I see what happened. Click right on server2   

[oldman]

PLEASE note

when doing the combofix fix

A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File,  click Exit and answer 'Yes' to save changes

[MareJordan]

I am but being totally challenged!!  Darn dial modem is going out of order on me again!!!!  If I dont get back to you after a lengthy time, its because the modem died...  okay?  I am scheduled to have "WildBlue" satelite installed shortly, we will continue then? 

Yes, after leaving my last post, I realized that I was clking on the website itself rather then [Server2].

Do I need to disable "XP's System Restore'? If I do, I dont know how to do that either..   

[oldman]

No you can leave system restore on if you want.

We should do this asap, you have some downloaders, that must be removed, or you will have more problems.

Also in HJT please fix this line

O4 - HKLM\..\Run: [NI.UGDC_0001_N122M2610] "c:\documents and settings\owner\application data\installer_en[1].exe