Infected With The Spyware-cyberlog-x Virus

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected With The Spyware-cyberlog-x Virus, have tried everything and I can't fix it!

Options

aaronjking View Member Profile	Nov 15 2007, 07:21 PM Post #1
New Member Group: Members Posts: 11 Joined: 12-November 07 Member No.: 169,275	I've been infected with the cyberlog-x virus or the trojan-Spy.win32@mx virus. I've tried everything I have found online to remove it and nothing has worked. Not even SmitfraudFix will do anything. Please help me with this. I followed the steps you outlined to prepare for this posting. My Hijackthis log is: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:53:30 PM, on 11/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\livecall.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Jeremy\Local Settings\Temporary Internet Files\Content.IE5\UXLOKVCT\stinger[1].exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: {b23d044f-f519-142a-f984-24e140f38fe7} - {7ef83f04-1e42-489f-a241-915ff440d32b} - C:\WINDOWS\system32\sdgleevm.dll O2 - BHO: (no name) - {99F4FDB7-60C5-441E-92B1-408B8AB99C26} - C:\WINDOWS\system32\ursrr.dll (file missing) O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\bdkefiaf.dll O2 - BHO: (no name) - {CB94BE1D-F27F-4AC5-8A9C-C43A93CAC863} - C:\Program Files\Internet Explorer\hokenowa4444.dll (file missing) O2 - BHO: (no name) - {d83d0080-d489-4405-a5a6-fd944a52759a} - C:\WINDOWS\system32\diqdwbo.dll (file missing) O2 - BHO: (no name) - {F3BE9629-376E-4DA8-BFA3-7E38ABF03CBB} - C:\Program Files\Internet Explorer\hokenowa83122.dll (file missing) O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\bdkefiaf.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} (PhotomaxUploader.ActiveXControl) - http://photomax.com/web/PhotomaxUploader.CAB O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab O20 - Winlogon Notify: bdkefiaf - C:\WINDOWS\SYSTEM32\bdkefiaf.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe -- End of file - 6813 bytes My SmitfraudFix log is: SmitFraudFix v2.253 Scan done at 7:43:01.65, Thu 11/15/2007 Run from C:\Documents and Settings\Jeremy\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport DNS Server Search Order: 192.168.0.1 DNS Server Search Order: 205.171.3.65 HKLM\SYSTEM\CCS\Services\Tcpip\..\{90E94676-6819-4552-B794-4CCF36F600A3}: DhcpNameServer=192.168.0.1 205.171.3.65 HKLM\SYSTEM\CS1\Services\Tcpip\..\{90E94676-6819-4552-B794-4CCF36F600A3}: DhcpNameServer=192.168.0.1 205.171.3.65 HKLM\SYSTEM\CS3\Services\Tcpip\..\{90E94676-6819-4552-B794-4CCF36F600A3}: DhcpNameServer=192.168.0.1 205.171.3.65 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End

lusitano View Member Profile	Nov 20 2007, 01:20 PM Post #2
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hi, Wellcome to Bleeping Computer Forums and thanks for your patience! You might want to save this page on your favorites, so you can find it again when you return. Please take note of the following: I will be handling your log and helping you, please do not make any system changes yet. The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience. The fixes are specific to your problem and should only be used for this issue on this machine If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes. Please reply to this thread. Do not start a new topic. Please give me some time to look over your log and I will get back to you as soon as possible. -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

aaronjking View Member Profile	Nov 20 2007, 03:43 PM Post #3
New Member Group: Members Posts: 11 Joined: 12-November 07 Member No.: 169,275	Okay, Thank you very much for your help on this! I'll wait for your response to my logs before I continue.

lusitano View Member Profile	Nov 21 2007, 05:12 AM Post #4
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello, 1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows 2. Please click this link-->Jotti When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time. C:\WINDOWS\system32\sdgleevm.dll C:\WINDOWS\system32\bdkefiaf.dll Please post back the results of the scan in your next post. You also can try the same at Virustotal: http://www.virustotal.com/ 3. Please go to the following url: http://www.bleepingcomputer.com/submit-malware.php?channel=17 "Link to topic where this file was requested:" - please insert the link to this topic in the text box "Browse to the file you want to submit:" - please click on browse and navigate to: C:\WINDOWS\system32\sdgleevm.dll C:\WINDOWS\system32\bdkefiaf.dll "Leave any comments, further information about this file, or contact information:" - please mention in the text box that Lusitano requested you to submit the file & insert the results from Jotti or virustotal obtained in the previous step Click Submit 4. Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. 5. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications". Click the "Download" button to the right. Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version. 6. Open HijackThis, click Config, click Misc Tools Click "Open Uninstall Manager" Click "Save List" (generates uninstall_list.txt) Click Save, copy and paste the results in your next post. 7. Please download show-vundo.vbs to your desktop Double-click show-vundo.vbs to run it. When completed, please post the contents of C:\vundo-bho.txt. and a new abc.bat log(which is still Hijackthis.exe) in a reply to this thread. 8. In your next reply, please post: New HijackThis log Results from Jotti or Virustotal (step nº 3) Results from VundoFix (step nº 4) Uninstall list (step nº 6) Results from show-vundo (step nº 7) Regards, -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

aaronjking View Member Profile	Nov 21 2007, 03:59 PM Post #5
New Member Group: Members Posts: 11 Joined: 12-November 07 Member No.: 169,275	New HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:53:59 PM, on 11/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: {b23d044f-f519-142a-f984-24e140f38fe7} - {7ef83f04-1e42-489f-a241-915ff440d32b} - C:\WINDOWS\system32\sdgleevm.dll O2 - BHO: (no name) - {99F4FDB7-60C5-441E-92B1-408B8AB99C26} - C:\WINDOWS\system32\ursrr.dll (file missing) O2 - BHO: (no name) - {CB94BE1D-F27F-4AC5-8A9C-C43A93CAC863} - C:\Program Files\Internet Explorer\hokenowa4444.dll (file missing) O2 - BHO: (no name) - {d83d0080-d489-4405-a5a6-fd944a52759a} - C:\WINDOWS\system32\diqdwbo.dll (file missing) O2 - BHO: (no name) - {F3BE9629-376E-4DA8-BFA3-7E38ABF03CBB} - C:\Program Files\Internet Explorer\hokenowa83122.dll (file missing) O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} (PhotomaxUploader.ActiveXControl) - http://photomax.com/web/PhotomaxUploader.CAB O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe -- End of file - 6897 bytes Results from Virustotal: File sdgleevm.dll received on 11.21.2007 18:03:55 (CET)Antivirus Version Last Update Result AhnLab-V3 2007.11.21.1 2007.11.21 - AntiVir 7.6.0.34 2007.11.21 TR/Spy.Vundo.79936 Authentium 4.93.8 2007.11.21 - Avast 4.7.1074.0 2007.11.20 - AVG 7.5.0.503 2007.11.21 Lop BitDefender 7.2 2007.11.21 - CAT-QuickHeal 9.00 2007.11.21 - ClamAV 0.91.2 2007.11.21 - DrWeb 4.44.0.09170 2007.11.21 - eSafe 7.0.15.0 2007.11.14 - eTrust-Vet 31.3.5313 2007.11.21 - Ewido 4.0 2007.11.21 - FileAdvisor 1 2007.11.21 - Fortinet 3.14.0.0 2007.11.21 - F-Prot 4.4.2.54 2007.11.21 - F-Secure 6.70.13030.0 2007.11.21 Vundo.gen49 Ikarus T3.1.1.12 2007.11.21 - Kaspersky 7.0.0.125 2007.11.21 - McAfee 5167 2007.11.20 Vundo Microsoft 1.3007 2007.11.21 - NOD32v2 2675 2007.11.21 a variant of Win32/BHO.G Norman 5.80.02 2007.11.20 W32/Virtumonde.IJL Panda 9.0.0.4 2007.11.21 Suspicious file Prevx1 V2 2007.11.21 Trojan.Vundo Rising 20.19.21.00 2007.11.21 - Sophos 4.23.0 2007.11.21 - Sunbelt 2.2.907.0 2007.11.21 - Symantec 10 2007.11.21 - TheHacker 6.2.9.136 2007.11.21 - VBA32 3.12.2.5 2007.11.20 - VirusBuster 4.3.26:9 2007.11.21 Adware.Vundo.V.Gen Webwasher-Gateway 6.0.1 2007.11.21 Trojan.Spy.Vundo.79936 Additional information File size: 81472 bytes MD5: f01a19ed7efc75ca68cdafacc37a8e87 SHA1: 288701132255506c342fa6007faf9fc451b2b449 Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...7EF8500E1EEE03D C:\WINDOWS\system32\bdkefiaf.dll does not show up through browse. Results from VundoFix: VundoFix V6.6.2 Checking Java version... Java version is 1.4.2.3 Old versions of java are exploitable and should be removed. Scan started at 10:45:45 AM 11/21/2007 Listing files found while scanning.... C:\WINDOWS\system32\bdkefiaf.dll C:\windows\system32\bdkefiaf.dllbox C:\windows\system32\eulklbsn.dllbox Beginning removal... Attempting to delete C:\windows\system32\bdkefiaf.dllbox C:\windows\system32\bdkefiaf.dllbox Has been deleted! Attempting to delete C:\windows\system32\eulklbsn.dllbox C:\windows\system32\eulklbsn.dllbox Has been deleted! Performing Repairs to the registry. Done! Uninstall list: ABBYY FineReader 6.0 Sprint Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Flash Player 9 ActiveX Adobe Reader 8.1.0 AirhogsFlightSimFullVersion 1.0 AOLIcon Apple Software Update Autodesk Design Review Trial Autodesk DWF Viewer 7 avast! Antivirus BitDefender Antivirus 2008 Broadcom Management Programs Brother MFL-Pro Suite CASHFLOW® 202 THE E-GAME CASHFLOW® THE E-GAME Conexant D480 MDC V.9x Modem ConvertMovie 3.0 Dell Driver Reset Tool Dell Media Experience Dell Picture Studio v3.0 Dell Support 5.0.0 (630) Digimax Master Digital Line Detect exPressit S.E. 2.2 First Step Guide FXCM Trading Station II Google Earth Google Toolbar for Internet Explorer Google Web Accelerator Google Web Accelerator Google Web Accelerator HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) ImageMixer EasyStepDVD Intel® Extreme Graphics 2 Driver Intel® PROSet/Wireless Software Interactive Medical Terminology 2.0 Internet Explorer Default Page InterVideo WinDVR 3 IrfanView (remove only) iTunes Jasc Paint Shop Photo Album 5 Jasc Paint Shop Pro Studio, Dell Editon Java™ 6 Update 3 Learn2 Player (Uninstall Only) Macromedia Flash Player mCore mDrWiFi mHlpDell Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2003 Resource Kit Microsoft Office FrontPage 2003 Microsoft Office OneNote 2003 Microsoft Office Professional Edition 2003 Microsoft Office Project Professional 2003 Microsoft Office Standard Edition 2003 Microsoft Office Visio Professional 2003 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft User-Mode Driver Framework Feature Pack 1.0 mIWA mIWCA mLogView mMHouse Modem Helper mPfMgr mPfWiz mProSafe MSN Money Investment Toolbox mSSO MSXML 4.0 SP2 (KB925672) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) mToolkit mWlsSafe mXML My Way Search Assistant mZConfig NBC Direct Beta Netflix Movie Viewer NetWaiting OpenCASE Media Agent PaperPort Personal Ancestral File 5 Photo Click Photo Explosion Special Edition PowerDVD 5.5 QuickBooks Simple Start Special Edition QuickTime RealPlayer Samsung USB Driver Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Microsoft .NET Framework 2.0 (KB928365) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB943460) Sonic DLA Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Spybot - Search & Destroy 1.4 Synaptics Pointing Device Driver Texas Instruments PCIxx20 drivers. TurboTax Home & Business 2006 TurboTax ItsDeductible 2006 Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Viewpoint Media Player WexTech AnswerWorks Windows Imaging Component Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live Messenger Windows Live OneCare safety scanner Windows Media Connect Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 10 Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Yahoo! Photos Easy Upload Tool 1v7 Results from show-vundo: ================================================= Relatório \| BHOs, Winlogon Notify e AppInit_DLLs ================================================= AppInit_DLLs ------------------------------------------------- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ------------------------------------------------- Authentication Packages ------------------------------------------------- [1] msv1_0 [2] C:\WINDOWS\system32\ursrr.dll ------------------------------------------------- Security Providers ------------------------------------------------- msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ------------------------------------------------- Explorer Execute Hooks ------------------------------------------------- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\] ------------------------------------------------- Browser Helper Objects ------------------------------------------------- [HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\] Adobe PDF Reader Link Helper \| [Indefinido] C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [HKLM\SOFTWARE\Classes\CLSID\{5CA3D70E-1895-11CF-8E15-001234567890}\] DriveLetterAccess \| [Indefinido] C:\WINDOWS\system32\dla\tfswshx.dll [HKLM\SOFTWARE\Classes\CLSID\{69A87B7D-DE56-4136-9655-716BA50C19C7}\] &Google Web Accelerator Helper \| Google Web Accelerator Helper C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll [HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\] SSVHelper Class \| [Indefinido] C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [HKLM\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{7ef83f04-1e42-489f-a241-915ff440d32b}\] [Indefinido] \| {b23d044f-f519-142a-f984-24e140f38fe7} C:\WINDOWS\system32\sdgleevm.dll [HKLM\SOFTWARE\Classes\CLSID\{99F4FDB7-60C5-441E-92B1-408B8AB99C26}\] [Indefinido] \| [Indefinido] C:\WINDOWS\system32\ursrr.dll [HKLM\SOFTWARE\Classes\CLSID\{CB94BE1D-F27F-4AC5-8A9C-C43A93CAC863}\] [Indefinido] \| [Indefinido] C:\Program Files\Internet Explorer\hokenowa4444.dll [HKLM\SOFTWARE\Classes\CLSID\{d83d0080-d489-4405-a5a6-fd944a52759a}\] [Indefinido] \| [Indefinido] C:\WINDOWS\system32\diqdwbo.dll [HKLM\SOFTWARE\Classes\CLSID\{F3BE9629-376E-4DA8-BFA3-7E38ABF03CBB}\] [Indefinido] \| [Indefinido] C:\Program Files\Internet Explorer\hokenowa83122.dll ------------------------------------------------- Winlogon Notify ------------------------------------------------- [Padrão] crypt32chain : crypt32.dll [Padrão] cryptnet : cryptnet.dll [Padrão] cscdll : cscdll.dll [Padrão] igfxcui : igfxdev.dll [Padrão] IntelWireless : C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [Padrão] ScCertProp : wlnotify.dll [Padrão] Schedule : wlnotify.dll [Padrão] sclgntfy : sclgntfy.dll [Padrão] SensLogn : WlNotify.dll [Padrão] termsrv : wlnotify.dll [Nova] WgaLogon : WgaLogon.dll [Padrão] wlballoon : wlnotify.dll Esta NÃO É uma lista de arquivos maliciosos! Thanks for your help with this, I hope this information will assist you in helping me!

lusitano View Member Profile	Nov 22 2007, 05:47 PM Post #6
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello, I see you have two antiviruses - specifically avast! and BitDefender 2008 - I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other antivirus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened; again this is the resident/automatic protection. In general terms, the two programs may conflict and cause: 1) False alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't. 2) System performance problems: Your system may lock up due to both products attempting to access the same file at the same time. Also i see you have Viewpoint. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision. QUOTE To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware. I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player). Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove. My Way Search Assistant Viewpoint Media Player < Your choice And please remove either avast! or BitDefender 2008 Reboot normally and post a new HijackThis log. Regards, -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

aaronjking View Member Profile	Nov 23 2007, 01:25 AM Post #7
New Member Group: Members Posts: 11 Joined: 12-November 07 Member No.: 169,275	Both programs did show up on the list in add remove programs. I was able to remove viewpoint, but every time I select My Way Search Assistant. It gives me this error "Error loading C:\PROGRA~\MyWaySA\SrchAsDe\1.bin\desrcas.dll" I did find a MyWaySA folder in program files, and it was empty so I deleted it. I removed Bitdefender. and here is the new HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:24:26 PM, on 11/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: {b23d044f-f519-142a-f984-24e140f38fe7} - {7ef83f04-1e42-489f-a241-915ff440d32b} - C:\WINDOWS\system32\sdgleevm.dll O2 - BHO: (no name) - {99F4FDB7-60C5-441E-92B1-408B8AB99C26} - C:\WINDOWS\system32\ursrr.dll (file missing) O2 - BHO: (no name) - {CB94BE1D-F27F-4AC5-8A9C-C43A93CAC863} - C:\Program Files\Internet Explorer\hokenowa4444.dll (file missing) O2 - BHO: (no name) - {d83d0080-d489-4405-a5a6-fd944a52759a} - C:\WINDOWS\system32\diqdwbo.dll (file missing) O2 - BHO: (no name) - {F3BE9629-376E-4DA8-BFA3-7E38ABF03CBB} - C:\Program Files\Internet Explorer\hokenowa83122.dll (file missing) O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} (PhotomaxUploader.ActiveXControl) - http://photomax.com/web/PhotomaxUploader.CAB O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe -- End of file - 5983 bytes Thanks for your help!!

lusitano View Member Profile	Nov 23 2007, 01:53 PM Post #8
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hi, Download ComboFix from Here or Here to your Desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall Regards, -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

aaronjking View Member Profile	Nov 23 2007, 03:57 PM Post #9
New Member Group: Members Posts: 11 Joined: 12-November 07 Member No.: 169,275	combofix log: ComboFix 07-11-19.3 - Jeremy 2007-11-23 13:42:12.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.626 [GMT -7:00] Running from: C:\Documents and Settings\Jeremy\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator.LAPTOP\Desktop\Live Safety Center.lnk C:\Documents and Settings\Administrator.LAPTOP\Desktop\Online Security Guide.lnk C:\Documents and Settings\Administrator.LAPTOP\Favorites\Online Security Guide.lnk C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk C:\Documents and Settings\Jeremy\Application Data\DriveCleaner Freeware C:\Documents and Settings\Jeremy\Application Data\DriveCleaner Freeware\Logs\update.log C:\Documents and Settings\Jeremy\Favorites\Online Security Guide.lnk C:\Documents and Settings\Jeremy\ResErrors.log C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\Temp C:\WINDOWS\system32\a1 C:\WINDOWS\system32\a13 C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\e2 C:\WINDOWS\system32\g1 C:\WINDOWS\system32\g2 C:\WINDOWS\system32\i8 C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\r2 C:\WINDOWS\system32\v8 C:\WINDOWS\system32\x22 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CORE -------\LEGACY_DOMAINSERVICE -------\LEGACY_FMTR -------\LEGACY_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 ))))))))))))))))))))))))))))))) . 2007-11-22 23:10 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-11-21 13:49 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-21 13:49 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log 2007-11-21 13:48 <DIR> d-------- C:\Program Files\Common Files\Java 2007-11-21 10:45 <DIR> d-------- C:\VundoFix Backups 2007-11-18 01:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-11-18 00:59 <DIR> d-------- C:\Program Files\NBC Direct 2007-11-18 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ExtendMedia 2007-11-18 00:58 <DIR> d-------- C:\Program Files\OpenCASE 2007-11-18 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-15 13:32 <DIR> d-------- C:\Program Files\Common Files\BitDefender 2007-11-14 23:01 <DIR> d-------- C:\Program Files\Alwil Software 2007-11-14 18:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\eAcceleration 2007-11-14 16:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\.housecall6.6 2007-11-12 10:45 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-10 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-10 07:34 1,252 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-10 07:34 0 --a------ C:\WINDOWS\system32\tmp.txt 2007-11-10 07:33 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-11-10 07:33 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-10 07:33 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-10 07:30 585,376 --ahs---- C:\WINDOWS\system32\ygxiuydt.ini 2007-11-10 07:30 85,056 --a------ C:\WINDOWS\system32\tdyuixgy.dll 2007-11-10 07:27 81,472 --a------ C:\WINDOWS\system32\jkrxobml.dll 2007-11-09 19:49 585,196 --ahs---- C:\WINDOWS\system32\eusapmwh.ini 2007-11-08 19:24 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Lavasoft 2007-11-08 19:20 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Symantec 2007-11-08 19:20 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Jasc Software Inc 2007-11-08 19:20 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Intel 2007-11-08 19:20 <DIR> d--h----- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Gtek 2007-11-07 09:08 294 --ahs---- C:\WINDOWS\system32\dirivtkv.ini 2007-11-05 22:52 565,365 --ahs---- C:\WINDOWS\system32\egccylyo.ini 2007-11-05 22:19 565,296 --ahs---- C:\WINDOWS\system32\wqnfbhly.ini 2007-11-05 10:15 3,914 --a------ C:\WINDOWS\system32\plxhgsfd.dll 2007-11-04 10:12 <DIR> d-------- C:\Program Files\Norton 360 2007-11-04 09:43 577,474 --ahs---- C:\WINDOWS\system32\fiqeogjp.ini 2007-11-03 12:13 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-11-02 22:57 <DIR> d-------- C:\Temp\mZOr 2007-11-02 22:57 577,052 --ahs---- C:\WINDOWS\system32\iycksxpj.ini 2007-11-01 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-11-01 21:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2007-11-01 21:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek 2007-11-01 21:14 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-10-30 17:43 <DIR> d-------- C:\WINDOWS\system32\Mz02r . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-21 20:49 --------- d-----w C:\Program Files\Java 2007-11-12 20:46 --------- d-----w C:\Program Files\Google 2007-11-10 14:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-09 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-11-04 21:57 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Symantec 2007-11-03 20:24 --------- d-----w C:\Program Files\CASHFLOW 202 2007-10-31 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-20 17:41 --------- d-----w C:\Program Files\CandleWorks 2007-10-13 08:16 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\U3 2007-10-06 16:06 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Move Networks 2007-10-03 03:52 --------- d-----w C:\Program Files\Common Files\Adobe 2007-10-03 03:52 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\InterTrust 2007-09-23 17:26 --------- d-----r C:\Documents and Settings\Jeremy\Application Data\Brother . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ef83f04-1e42-489f-a241-915ff440d32b}] 2007-11-10 07:41 81472 --a------ C:\WINDOWS\system32\sdgleevm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99F4FDB7-60C5-441E-92B1-408B8AB99C26}] C:\WINDOWS\system32\ursrr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB94BE1D-F27F-4AC5-8A9C-C43A93CAC863}] C:\Program Files\Internet Explorer\hokenowa4444.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d83d0080-d489-4405-a5a6-fd944a52759a}] C:\WINDOWS\system32\diqdwbo.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3BE9629-376E-4DA8-BFA3-7E38ABF03CBB}] C:\Program Files\Internet Explorer\hokenowa83122.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 14:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=C:\Documents and Settings\Jeremy\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b4b5536b] rundll32.exe C:\WINDOWS\system32\pryrkrfa.dll,b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 03:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2004-12-05 23:05 127035 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2005-01-26 23:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-02-23 14:19 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] 2005-09-20 08:32 77824 --a------ C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-09-20 08:36 114688 --a------ C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2005-09-20 08:35 94208 --a------ C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2005-03-17 14:45 40960 --a------ C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-03-14 18:05 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager] 2002-09-04 08:36 53248 --a------ C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor] 2003-01-08 12:36 40960 --a------ C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2005-03-17 14:25 57393 --a------ C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] 2002-09-18 18:52 36864 --a------ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt] 2005-01-26 18:02 49152 --a------ C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2004-05-14 12:35 536576 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] 2004-05-13 22:23 98304 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr] 2004-09-08 20:51 106496 --a------ C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-18 20:05 204288 --------- C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "WLANKEEPER"=2 (0x2) "usnjsvc"=3 (0x3) "UserAccess7"=2 (0x2) "S24EventMonitor"=2 (0x2) "RegSrvc"=2 (0x2) "ose"=3 (0x3) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "gusvc"=3 (0x3) "EvtEng"=2 (0x2) "DomainService"=2 (0x2) "CLTNetCnService"=2 (0x2) "Avg7UpdSvc"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys S3 sony_ssm.sys;sony_ssm.sys;\??\C:\DOCUME~1\Jeremy\LOCALS~1\Temp\sony_ssm.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6d85889-ca79-11da-b9b5-0012f0884ff1}] \Shell\AutoRun\command - E:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2007-10-27 03:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************ catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-23 13:52:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-11-23 13:54:07 - machine was rebooted . --- E O F --- HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:56:27 PM, on 11/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: {b23d044f-f519-142a-f984-24e140f38fe7} - {7ef83f04-1e42-489f-a241-915ff440d32b} - C:\WINDOWS\system32\sdgleevm.dll O2 - BHO: (no name) - {99F4FDB7-60C5-441E-92B1-408B8AB99C26} - C:\WINDOWS\system32\ursrr.dll (file missing) O2 - BHO: (no name) - {CB94BE1D-F27F-4AC5-8A9C-C43A93CAC863} - C:\Program Files\Internet Explorer\hokenowa4444.dll (file missing) O2 - BHO: (no name) - {d83d0080-d489-4405-a5a6-fd944a52759a} - C:\WINDOWS\system32\diqdwbo.dll (file missing) O2 - BHO: (no name) - {F3BE9629-376E-4DA8-BFA3-7E38ABF03CBB} - C:\Program Files\Internet Explorer\hokenowa83122.dll (file missing) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} (PhotomaxUploader.ActiveXControl) - http://photomax.com/web/PhotomaxUploader.CAB O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe -- End of file - 5735 bytes Thanks for your help!!

lusitano View Member Profile	Nov 24 2007, 07:47 PM Post #10
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello, 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\WINDOWS\system32\ygxiuydt.ini C:\WINDOWS\system32\tdyuixgy.dll C:\WINDOWS\system32\jkrxobml.dll C:\WINDOWS\system32\eusapmwh.ini C:\WINDOWS\system32\dirivtkv.ini C:\WINDOWS\system32\egccylyo.ini C:\WINDOWS\system32\wqnfbhly.ini C:\WINDOWS\system32\plxhgsfd.dll C:\WINDOWS\system32\fiqeogjp.ini C:\WINDOWS\system32\iycksxpj.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\sdgleevm.dll C:\WINDOWS\system32\ursrr.dll C:\Program Files\Internet Explorer\hokenowa4444.dll C:\WINDOWS\system32\diqdwbo.dll C:\Program Files\Internet Explorer\hokenowa83122.dll C:\WINDOWS\system32\pryrkrfa.dll Folder:: C:\Temp\mZOr C:\WINDOWS\system32\Mz02r Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ef83f04-1e42-489f-a241-915ff440d32b}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99F4FDB7-60C5-441E-92B1-408B8AB99C26}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB94BE1D-F27F-4AC5-8A9C-C43A93CAC863}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d83d0080-d489-4405-a5a6-fd944a52759a}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3BE9629-376E-4DA8-BFA3-7E38ABF03CBB}] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b4b5536b] Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall 3. In your next reply, please post the results from ComboFix, along with a new HijackThis log. Regards -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

aaronjking View Member Profile	Nov 25 2007, 02:04 AM Post #11
New Member Group: Members Posts: 11 Joined: 12-November 07 Member No.: 169,275	Combofix results: ComboFix 07-11-19.3 - Jeremy 2007-11-24 23:51:29.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.581 [GMT -7:00] Running from: C:\Documents and Settings\Jeremy\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jeremy\Desktop\CFScript.txt * Created a new restore point FILE C:\Program Files\Internet Explorer\hokenowa4444.dll C:\Program Files\Internet Explorer\hokenowa83122.dll C:\WINDOWS\system32\diqdwbo.dll C:\WINDOWS\system32\dirivtkv.ini C:\WINDOWS\system32\egccylyo.ini C:\WINDOWS\system32\eusapmwh.ini C:\WINDOWS\system32\fiqeogjp.ini C:\WINDOWS\system32\iycksxpj.ini C:\WINDOWS\system32\jkrxobml.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\plxhgsfd.dll C:\WINDOWS\system32\pryrkrfa.dll C:\WINDOWS\system32\sdgleevm.dll C:\WINDOWS\system32\tdyuixgy.dll C:\WINDOWS\system32\ursrr.dll C:\WINDOWS\system32\wqnfbhly.ini C:\WINDOWS\system32\ygxiuydt.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\mZOr C:\Temp\mZOr\tOasF.log C:\WINDOWS\system32\dirivtkv.ini C:\WINDOWS\system32\egccylyo.ini C:\WINDOWS\system32\eusapmwh.ini C:\WINDOWS\system32\fiqeogjp.ini C:\WINDOWS\system32\iycksxpj.ini C:\WINDOWS\system32\jkrxobml.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\Mz02r C:\WINDOWS\system32\plxhgsfd.dll C:\WINDOWS\system32\pryrkrfa.dll C:\WINDOWS\system32\sdgleevm.dll C:\WINDOWS\system32\tdyuixgy.dll C:\WINDOWS\system32\wqnfbhly.ini C:\WINDOWS\system32\ygxiuydt.ini . ((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 ))))))))))))))))))))))))))))))) . 2007-11-22 23:10 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-11-21 13:49 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-21 13:49 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log 2007-11-21 13:48 <DIR> d-------- C:\Program Files\Common Files\Java 2007-11-21 10:45 <DIR> d-------- C:\VundoFix Backups 2007-11-18 01:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-11-18 00:59 <DIR> d-------- C:\Program Files\NBC Direct 2007-11-18 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ExtendMedia 2007-11-18 00:58 <DIR> d-------- C:\Program Files\OpenCASE 2007-11-18 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-15 13:32 <DIR> d-------- C:\Program Files\Common Files\BitDefender 2007-11-14 23:01 <DIR> d-------- C:\Program Files\Alwil Software 2007-11-14 18:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\eAcceleration 2007-11-14 16:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\.housecall6.6 2007-11-12 10:45 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-10 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-10 07:34 1,252 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-10 07:34 0 --a------ C:\WINDOWS\system32\tmp.txt 2007-11-10 07:33 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-11-10 07:33 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-10 07:33 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-08 19:24 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Lavasoft 2007-11-08 19:20 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Symantec 2007-11-08 19:20 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Jasc Software Inc 2007-11-08 19:20 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Intel 2007-11-08 19:20 <DIR> d--h----- C:\Documents and Settings\Administrator.LAPTOP\Application Data\Gtek 2007-11-04 10:12 <DIR> d-------- C:\Program Files\Norton 360 2007-11-03 12:13 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-11-01 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-11-01 21:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2007-11-01 21:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-21 20:49 --------- d-----w C:\Program Files\Java 2007-11-12 20:46 --------- d-----w C:\Program Files\Google 2007-11-10 14:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-09 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-11-04 21:57 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Symantec 2007-11-03 20:24 --------- d-----w C:\Program Files\CASHFLOW 202 2007-10-31 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-20 17:41 --------- d-----w C:\Program Files\CandleWorks 2007-10-13 08:16 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\U3 2007-10-06 16:06 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Move Networks 2007-10-03 03:52 --------- d-----w C:\Program Files\Common Files\Adobe 2007-10-03 03:52 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\InterTrust . ((((((((((((((((((((((((((((( snapshot@2007-11-23_13.53.25.61 ))))))))))))))))))))))))))))))))))))))))) . + 2007-11-25 06:59:50 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_380.dat + 2007-11-25 06:59:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_668.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 14:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jeremy^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=C:\Documents and Settings\Jeremy\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 03:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2004-12-05 23:05 127035 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2005-01-26 23:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-02-23 14:19 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] 2005-09-20 08:32 77824 --a------ C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-09-20 08:36 114688 --a------ C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2005-09-20 08:35 94208 --a------ C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2005-03-17 14:45 40960 --a------ C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-03-14 18:05 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager] 2002-09-04 08:36 53248 --a------ C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor] 2003-01-08 12:36 40960 --a------ C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2005-03-17 14:25 57393 --a------ C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] 2002-09-18 18:52 36864 --a------ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt] 2005-01-26 18:02 49152 --a------ C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2004-05-14 12:35 536576 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] 2004-05-13 22:23 98304 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr] 2004-09-08 20:51 106496 --a------ C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-18 20:05 204288 --------- C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "WLANKEEPER"=2 (0x2) "usnjsvc"=3 (0x3) "UserAccess7"=2 (0x2) "S24EventMonitor"=2 (0x2) "RegSrvc"=2 (0x2) "ose"=3 (0x3) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "gusvc"=3 (0x3) "EvtEng"=2 (0x2) "DomainService"=2 (0x2) "CLTNetCnService"=2 (0x2) "Avg7UpdSvc"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys S3 sony_ssm.sys;sony_ssm.sys;\??\C:\DOCUME~1\Jeremy\LOCALS~1\Temp\sony_ssm.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6d85889-ca79-11da-b9b5-0012f0884ff1}] \Shell\AutoRun\command - E:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2007-10-27 03:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************ catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-25 00:00:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-11-25 0:02:15 - machine was rebooted C:\ComboFix2.txt ... 2007-11-23 13:54 . --- E O F --- New HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:03:40 AM, on 11/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} (PhotomaxUploader.ActiveXControl) - http://photomax.com/web/PhotomaxUploader.CAB O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe -- End of file - 5160 bytes Thanks for your work on this! I really apprciate it!

lusitano View Member Profile	Nov 26 2007, 06:18 PM Post #12
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello, 1. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 2. Please do an online scan with Kaspersky WebScanner Click on You will be prompted to install an ActiveX component from Kaspersky, Click The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on Now click on In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running now. -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

aaronjking View Member Profile	Nov 27 2007, 10:33 AM Post #13
New Member Group: Members Posts: 11 Joined: 12-November 07 Member No.: 169,275	------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, November 27, 2007 8:28:21 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 27/11/2007 Kaspersky Anti-Virus database records: 466175 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 84041 Number of viruses found: 4 Number of infected objects: 6 Number of suspicious objects: 2 Duration of the scan process: 02:09:55 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_Compress_20061105_213552_1_1 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_PC_CHK.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\Progress_log_Compress.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LocusSoftwareBestsellerAntivirus80.zip/Activate.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LocusSoftwareBestsellerAntivirus80.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\Jeremy\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jeremy\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Jeremy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Jeremy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jeremy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jeremy\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jeremy\Local Settings\History\History.IE5\MSHist012007112620071127\index.dat Object is locked skipped C:\Documents and Settings\Jeremy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jeremy\ntuser.dat Object is locked skipped C:\Documents and Settings\Jeremy\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\Online Services\profsy.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped C:\Program Files\OpenCASE\OpenCASE Media Agent\logs\csm.log Object is locked skipped C:\qoobox\Quarantine\C\WINDOWS\system32\jkrxobml.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.i skipped C:\qoobox\Quarantine\C\WINDOWS\system32\sdgleevm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.i skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000092.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.i skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000095.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.i skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{F4E811E0-77C3-40FC-8B2E-231AB441AD02}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_640.dat Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:32:28 AM, on 11/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} (PhotomaxUploader.ActiveXControl) - http://photomax.com/web/PhotomaxUploader.CAB O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe -- End of file - 5642 bytes The computer is running a lot better now. I think it's at about 80% of what it was before this whole thing started. Thank you so much for your help!

lusitano View Member Profile	Nov 28 2007, 04:56 AM Post #14
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello, Good job! Please empty the Spybot Recovery folder (C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery <- this folder) and yours logs will be clean Time for some housekeeping Click START then RUN Now type Combofix /u in the runbox and click OK When shown the disclaimer, Select "2" The above procedure will: Delete the following: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Reset System Restore. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here: Windows XP System Restore Guide Reenable system restore with instructions from tutorial above Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here: Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware Read the TonyKlein's good advice: So how did I get infected in the first place? Also visit the Secunia Software Inspector Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. here are some additional utilities that will enhance your safety IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 8th November 2009 - 06:47 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides