Constant Virus Alerts

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Constant Virus Alerts, win32:vundrop and win32:trojan-gen

Options

Gypsys Kiss View Member Profile	Jul 4 2008, 12:04 PM Post #1
Member Group: Members Posts: 16 Joined: 30-October 07 Member No.: 166,338	Hi Ever since my partners grandson managed 20 minutes unsupervised access on this laptop I have been expriencing problems. As soon as I switch on avast picks up at least one virus alert, usualy 2 or 3. This is before I open IE. I also keep getting unasked for pages opening offering to scan the pc aswell as others. Also I cannot seem to switch on automatics updates in the windows security centre. Here is the DSS scan main text. The extra text didnt appear, or rather it did the first time I ran DSS, but the pc went on the fritz and hasnt appeared on either of the 2 times I've run DSS since. Hope you can help, Gypsys Kiss. Deckard's System Scanner v20071014.68 Run by user on 2008-07-04 17:08:46 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as user.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:08:56, on 04/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\pctspk.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Documents and Settings\user\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/ O2 - BHO: (no name) - {1c8da925-538a-4356-a089-538c776aaa1e} - (no file) O2 - BHO: (no name) - {3ABBCEAB-E788-4206-9377-95BBB9E3E5CC} - C:\WINDOWS\system32\ssqOETlJ.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {753C2B59-E480-43FA-88EA-EDE14633B7B9} - C:\WINDOWS\system32\urqRJYoL.dll O2 - BHO: (no name) - {8A1C9F69-38A0-4766-8A2E-F16B5AFC1829} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {AC0EA732-A6CE-4FE9-9C96-F51AE76C6D25} - C:\WINDOWS\system32\ddcBTLee.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: (no name) - {B956D9BD-A309-4D5B-B832-A1DB3794B2AE} - (no file) O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\cbXRLbBS.dll (file missing) O2 - BHO: (no name) - {DEF2E0A9-1305-4F74-988F-DE727A0C16F8} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [BMd75705b2] Rundll32.exe "C:\WINDOWS\system32\scthqbmk.dll",s O4 - HKLM\..\Run: [d464362e] rundll32.exe "C:\WINDOWS\system32\fnnsgonx.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll O20 - Winlogon Notify: cbXRLbBS - cbXRLbBS.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- End of file - 5487 bytes -- Files created between 2008-06-04 and 2008-07-04 ----------------------------- 2008-07-04 17:05:32 0 d-------- C:\Program Files\Trend Micro 2008-07-04 16:12:47 104960 --a------ C:\WINDOWS\system32\qzwilm.dll 2008-07-04 16:12:44 104960 --a------ C:\WINDOWS\system32\fnisqeus.dll 2008-07-04 16:08:29 83456 --a------ C:\WINDOWS\system32\unkecdyy.dll 2008-07-04 16:02:28 548041 --ahs---- C:\WINDOWS\system32\LoYJRqru.ini2 2008-07-04 16:02:23 284672 --a------ C:\WINDOWS\system32\urqRJYoL.dll 2008-07-04 13:34:06 104960 --a------ C:\WINDOWS\system32\gmhrcv.dll 2008-07-04 13:34:03 104960 --a------ C:\WINDOWS\system32\pgtghwcq.dll 2008-07-04 13:30:55 567537 --ahs---- C:\WINDOWS\system32\eeLTBcdd.ini2 2008-07-03 18:19:32 104448 --a------ C:\WINDOWS\system32\ctboof.dll 2008-07-03 18:19:26 104448 --a------ C:\WINDOWS\system32\lhmmwicv.dll 2008-07-03 18:19:15 87040 --a------ C:\WINDOWS\system32\oekhompy.dll 2008-07-02 17:36:32 104448 --a------ C:\WINDOWS\system32\uofqgx.dll 2008-07-02 17:36:30 104448 --a------ C:\WINDOWS\system32\cwevrxac.dll 2008-06-30 22:55:46 0 d--hs---- C:\FOUND.001 2008-06-30 18:42:55 691545 --a------ C:\WINDOWS\unins000.exe 2008-06-30 18:42:55 2549 --a------ C:\WINDOWS\unins000.dat 2008-06-30 18:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy <SPYBOT~1> 2008-06-29 21:32:59 104448 --a------ C:\WINDOWS\system32\mbagxj.dll 2008-06-29 21:32:57 104448 --a------ C:\WINDOWS\system32\pqrtewtn.dll 2008-06-28 21:24:41 94208 --a------ C:\WINDOWS\system32\bxhsenck.dll 2008-06-28 00:50:23 7639 --a------ C:\WINDOWS\extend.dat 2008-06-27 21:38:51 0 d-------- C:\WINDOWS\system32\appmgmt 2008-06-27 21:21:46 576732 --ahs---- C:\WINDOWS\system32\JlTEOqss.ini2 2008-06-27 21:16:37 34304 --a------ C:\WINDOWS\system32\cbXRLbBS.dll 2008-06-27 21:11:57 0 d-------- C:\Documents and Settings\user\Application Data\LimeWire 2008-06-27 21:02:42 0 d-------- C:\Program Files\LimeWire 2008-06-22 18:09:30 0 d-------- C:\Program Files\MFInstall 2008-06-21 00:29:02 0 d--hs---- C:\WINDOWS\CSC 2008-06-21 00:08:45 0 d-------- C:\Documents and Settings\user\Application Data\Help 2008-06-20 22:58:50 0 d-------- C:\Documents and Settings\user\Contacts 2008-06-20 22:58:10 0 d-------- C:\WINDOWS\system32\DRVSTORE 2008-06-20 22:18:59 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-20 22:18:47 0 d-------- C:\Program Files\Windows Live 2008-06-20 22:18:36 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-20 22:11:54 0 d-------- C:\Documents and Settings\user\Application Data\Adobe 2008-06-19 16:20:18 0 d-------- C:\Documents and Settings\user\Application Data\Google 2008-06-19 16:20:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2008-06-19 16:19:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-06-19 16:19:23 0 d-------- C:\Program Files\Google 2008-06-19 16:18:00 0 d---s---- C:\Documents and Settings\user\UserData 2008-06-14 13:45:48 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System> 2008-06-14 12:53:32 0 d-------- C:\WINDOWS\system32\PreInstall 2008-06-14 12:53:30 0 d--h----- C:\WINDOWS\$hf_mig$ 2008-06-14 10:31:55 0 d-------- C:\WINDOWS\.jagex_cache_32 2008-06-14 10:29:58 0 d-------- C:\WINDOWS\system32\SoftwareDistribution 2008-06-12 18:44:55 0 d-------- C:\Documents and Settings\user\Application Data\Macromedia 2008-06-12 17:13:51 0 d-------- C:\Program Files\Alwil Software 2008-06-10 17:01:59 543712 -ra------ C:\WINDOWS\system32\drivers\ar5211.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter> -- Find3M Report --------------------------------------------------------------- Nothing modified in this timespan. -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1c8da925-538a-4356-a089-538c776aaa1e}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ABBCEAB-E788-4206-9377-95BBB9E3E5CC}] C:\WINDOWS\system32\ssqOETlJ.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{753C2B59-E480-43FA-88EA-EDE14633B7B9}] 04/07/2008 16:02 284672 --a------ C:\WINDOWS\system32\urqRJYoL.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A1C9F69-38A0-4766-8A2E-F16B5AFC1829}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC0EA732-A6CE-4FE9-9C96-F51AE76C6D25}] C:\WINDOWS\system32\ddcBTLee.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B956D9BD-A309-4D5B-B832-A1DB3794B2AE}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}] C:\WINDOWS\system32\cbXRLbBS.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEF2E0A9-1305-4F74-988F-DE727A0C16F8}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [17/03/2003 18:21] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [17/03/2003 18:20] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/02/2004 11:55] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/02/2004 11:51] "PCTVOICE"="pctspk.exe" [18/07/2002 16:58 C:\WINDOWS\system32\pctspk.exe] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [15/05/2008 23:19] "BMd75705b2"="C:\WINDOWS\system32\scthqbmk.dll" [] "d464362e"="C:\WINDOWS\system32\fnnsgonx.dll" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [19/06/2008 16:19] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43] C:\Documents and Settings\user\Start Menu\Programs\Startup\ Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [17/11/1996] Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [17/11/1996] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Wireless-B Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe [21/09/2006 19:35:07] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}"= C:\WINDOWS\system32\cbXRLbBS.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa] antiwpa.dll 18/09/2005 02:32 5376 C:\WINDOWS\system32\antiwpa.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRLbBS] cbXRLbBS.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqRJYoL [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e56670-49a6-11db-9362-806d6172696f}] AutoRun\command- D:\Setup.exe AutoRun -- End of Deckard's System Scanner: finished at 2008-07-04 17:10:21 ------------

Thunder View Member Profile	Jul 5 2008, 04:43 PM Post #2
Forum Addict Group: HJT Team Posts: 2,252 Joined: 12-December 05 From: Belgium Member No.: 44,294	Hello Gypsys Kiss and welcome to BleepingComputer, 1. * Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tab Under Browsing History, click Delete. Click Delete Files, Delete cookies and Delete history Click Close below. * Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options. Click Privacy in the menu.. Click the Clear now button below.. A new window will popup what to clear. Select all and click the Clear button again. Click OK to close the Options window * Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them. 2. Please download Malwarebytes' Anti-Malware from Here or Here Doubleclick mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply along with a fresh HijackThis log. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 3. Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !). The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC) In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial. It must be saved directly to your desktop. Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze. Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. If you have any questions along the way, STOP and ask them before proceeding !! Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ... ----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware. ----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference

Gypsys Kiss View Member Profile	Jul 6 2008, 06:11 AM Post #3
Member Group: Members Posts: 16 Joined: 30-October 07 Member No.: 166,338	Hi Thunder When I try to drag the recovery program into combofix it fails and says- 'The application or DLL C:\WINDOWS\system32\cbXRLbBs.dll is not a valid Windows image. Please check this agianst your installation diskette' Combofix wants to start anyway. There is a disclaimer of warranty window showing. Should I continue? This is a different pc, so I cant post the mbam log at the moment. This post has been edited by Gypsys Kiss: Jul 6 2008, 06:13 AM

Thunder View Member Profile	Jul 6 2008, 01:47 PM Post #4
Forum Addict Group: HJT Team Posts: 2,252 Joined: 12-December 05 From: Belgium Member No.: 44,294	Hello Gypsys Kiss, Please install the Recovery Console and then run ComboFix like this : To install the Recovery Console use the file download here : http://support.microsoft.com/kb/310994 at the bottom of the page, for WinXp SP2 (Home or Pro version depending on your system), and drag it in ComboFix. That'll set off the installation and when installed will provide the possibility to continue with the ComboFix scan. If you follow the ComboFix tutorial, you'll notice the disclaimer window is normal. You can continue and run ComboFix. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ... ----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware. ----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference

Gypsys Kiss View Member Profile	Jul 7 2008, 12:00 PM Post #5
Member Group: Members Posts: 16 Joined: 30-October 07 Member No.: 166,338	Hi Thunder Did the scans and all seemed to go OK. Since I ran the MBAM scan I have stopped getting all the virus alerts. Here are the logs. ComboFix 08-07-05.1 - user 2008-07-07 17:40:09.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.300 [GMT 0:00] Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\user\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMd75705b2.txt C:\WINDOWS\system32\bxhsenck.dll C:\WINDOWS\system32\cbXRLbBS.dll C:\WINDOWS\system32\ctboof.dll C:\WINDOWS\system32\eeLTBcdd.ini C:\WINDOWS\system32\eeLTBcdd.ini2 C:\WINDOWS\system32\euvvgfrt.dll C:\WINDOWS\system32\fnisqeus.dll C:\WINDOWS\system32\gmhrcv.dll C:\WINDOWS\system32\hqvtpvmh.ini C:\WINDOWS\system32\jgkqpu.dll C:\WINDOWS\system32\JlTEOqss.ini C:\WINDOWS\system32\JlTEOqss.ini2 C:\WINDOWS\system32\kmlblhnl.ini C:\WINDOWS\system32\lhmmwicv.dll C:\WINDOWS\system32\LoYJRqru.ini C:\WINDOWS\system32\LoYJRqru.ini2 C:\WINDOWS\system32\mbagxj.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\pgtghwcq.dll C:\WINDOWS\system32\pqrtewtn.dll C:\WINDOWS\system32\qzwilm.dll C:\WINDOWS\system32\sxuohuov.ini C:\WINDOWS\system32\urqRJYoL.dll C:\WINDOWS\system32\xnogsnnf.ini C:\WINDOWS\system32\xnooiggj.ini . ((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 ))))))))))))))))))))))))))))))) . 2008-07-06 11:19 . 2008-07-06 11:19 13,646 --a------ C:\WINDOWS\system32\wpa.bak 2008-07-06 11:00 . 2008-07-06 11:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes 2008-07-06 10:59 . 2008-07-06 10:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-06 10:59 . 2008-07-06 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-06 10:59 . 2008-06-28 14:21 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-07-06 10:59 . 2008-06-28 14:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-05 18:18 . 2008-07-05 18:18 <DIR> d--hs---- C:\FOUND.003 2008-07-05 10:23 . 2008-07-05 10:23 7,168 --a------ C:\WINDOWS\user.pcb 2008-07-05 08:56 . 2008-07-05 08:56 <DIR> d--hs---- C:\FOUND.002 2008-07-04 17:05 . 2008-07-04 17:05 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-04 16:25 . 2008-07-04 16:25 <DIR> d-------- C:\Deckard 2008-07-04 15:11 . 2008-07-04 15:12 152 --a------ C:\WINDOWS\wininit.ini 2008-06-30 22:55 . 2008-06-30 22:55 <DIR> d--hs---- C:\FOUND.001 2008-06-30 18:44 . 2008-06-30 18:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-30 18:42 . 2008-06-30 18:38 691,545 --a------ C:\WINDOWS\unins000.exe 2008-06-30 18:42 . 2008-06-30 18:42 2,549 --a------ C:\WINDOWS\unins000.dat 2008-06-30 18:32 . 2008-06-30 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-28 21:24 . 2008-07-04 15:16 110,461 --a------ C:\WINDOWS\BMd75705b2.xml 2008-06-28 00:50 . 2008-07-05 10:24 262,144 --a------ C:\WINDOWS\outlook.pst 2008-06-28 00:50 . 2008-06-28 00:50 23,462 --a------ C:\WINDOWS\Microsoft Outlook.FAV 2008-06-28 00:50 . 2008-06-28 00:50 7,639 --a------ C:\WINDOWS\extend.dat 2008-06-27 21:11 . 2008-06-27 21:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\LimeWire 2008-06-27 21:02 . 2008-06-27 21:02 <DIR> d-------- C:\Program Files\LimeWire 2008-06-22 20:44 . 2008-06-22 22:33 204,800 --a------ C:\ffastunT.ffl 2008-06-22 18:09 . 2008-06-22 18:09 <DIR> d-------- C:\Program Files\MFInstall 2008-06-21 10:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-06-21 10:51 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-06-21 10:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-06-21 00:08 . 2008-06-21 00:08 120,872 --a------ C:\WINDOWS\system32\MSForms.TWD 2008-06-20 22:58 . 2008-06-20 22:58 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE 2008-06-20 22:58 . 2008-06-20 22:58 <DIR> d-------- C:\Documents and Settings\user\Contacts 2008-06-20 22:18 . 2008-06-20 22:18 <DIR> d-------- C:\Program Files\Windows Live 2008-06-20 22:18 . 2008-06-20 22:19 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-20 22:18 . 2008-06-20 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-19 16:19 . 2008-06-19 16:19 <DIR> d-------- C:\Program Files\Google 2008-06-19 16:19 . 2008-06-19 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-06-19 16:18 . 2008-06-19 16:18 <DIR> d---s---- C:\Documents and Settings\user\UserData 2008-06-14 13:45 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll 2008-06-14 13:00 . 2008-06-13 13:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-14 13:00 . 2008-06-13 13:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-14 12:53 . 2008-06-14 12:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-06-14 12:53 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-06-14 10:31 . 2008-06-14 10:31 <DIR> d-------- C:\WINDOWS\.jagex_cache_32 2008-06-13 18:51 . 2008-06-13 18:51 35,262 --a------ C:\WINDOWS\user.acl 2008-06-13 06:22 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-06-13 06:22 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys 2008-06-13 06:22 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-06-13 06:22 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys 2008-06-12 17:13 . 2008-06-12 17:13 <DIR> d-------- C:\Program Files\Alwil Software 2008-06-12 17:13 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2008-06-12 17:13 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll 2008-06-12 17:13 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll 2008-06-10 17:01 . 2007-03-27 05:27 543,712 -ra------ C:\WINDOWS\system32\drivers\ar5211.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-06 11:11 5,376 ------w C:\WINDOWS\system32\antiwpa.dll 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll 2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll 2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll 2008-04-21 07:04 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll 2008-04-21 07:04 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll 2008-04-21 07:04 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll 2008-04-21 07:04 3,059,712 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-21 07:04 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll 2008-04-21 07:03 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll 2008-04-21 07:03 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2008-04-21 07:03 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2008-04-21 07:03 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll 2008-04-21 07:03 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2008-04-21 07:03 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2008-04-21 07:03 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll 2008-04-21 07:03 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll 2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 16:19 68856] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 18:21 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 18:20 569344] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51 118784] "PCTVOICE"="pctspk.exe" [2002-07-18 16:58 163840 C:\WINDOWS\system32\pctspk.exe] C:\Documents and Settings\user\Start Menu\Programs\Startup\ Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984] Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Wireless-B Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe [2006-09-21 19:35:07 4811264] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\MSMSGS.EXE"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 23:20] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 23:16] S3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys [] S3 neo20xx;neo20xx;C:\WINDOWS\system32\DRIVERS\neo20xx.sys [2001-08-17 12:50] S3 wdm_nm5;NeoMagic MagicMedia 256AV Audio Driver (WDM);C:\WINDOWS\system32\drivers\nm5a2wdm.sys [2001-08-17 12:20] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e56670-49a6-11db-9362-806d6172696f}] \Shell\AutoRun\command - D:\Setup.exe AutoRun . - - - - ORPHANS REMOVED - - - - BHO-{3ABBCEAB-E788-4206-9377-95BBB9E3E5CC} - C:\WINDOWS\system32\ssqOETlJ.dll BHO-{AC0EA732-A6CE-4FE9-9C96-F51AE76C6D25} - C:\WINDOWS\system32\ddcBTLee.dll HKLM-Run-BMd75705b2 - C:\WINDOWS\system32\scthqbmk.dll HKLM-Run-d464362e - C:\WINDOWS\system32\fnnsgonx.dll ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-07 17:43:39 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\PROGRAM FILES\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE . ************************************************************************ . Completion time: 2008-07-07 17:45:02 - machine was rebooted [user] ComboFix-quarantined-files.txt 2008-07-07 17:44:56 Pre-Run: 24,986,419,200 bytes free Post-Run: 25,102,286,848 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 193 --- E O F --- 2008-06-21 10:20:52

Gypsys Kiss View Member Profile	Jul 7 2008, 12:01 PM Post #6
Member Group: Members Posts: 16 Joined: 30-October 07 Member No.: 166,338	The Mbam log Malwarebytes' Anti-Malware 1.19 Database version: 927 Windows 5.1.2600 Service Pack 2 11:11:02 06/07/2008 mbam-log-7-6-2008 (11-11-02).txt Scan type: Quick Scan Objects scanned: 38893 Time elapsed: 6 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 3 Registry Keys Infected: 11 Registry Values Infected: 3 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 14 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\urqRJYoL.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Unloaded module successfully. C:\WINDOWS\system32\cbXRLbBS.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{726eb118-5e88-46c3-8a91-8aee6149543f} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{726eb118-5e88-46c3-8a91-8aee6149543f} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{33c926d3-6b1c-48fa-aaca-a4ba8e5728b6} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\antiwpa (Malware.Tool) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ba2a2046-75a4-47c0-a09c-f0dcc706d39b} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba2a2046-75a4-47c0-a09c-f0dcc706d39b} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxrlbbs (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d464362e (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMd75705b2 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ba2a2046-75a4-47c0-a09c-f0dcc706d39b} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqrjyol -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqrjyol -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\urqRJYoL.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\LoYJRqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\LoYJRqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\unkecdyy.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yydceknu.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rabltmkh.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\hkmtlbar.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\oekhompy.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ypmohkeo.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cwevrxac.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uofqgx.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\antiwpa.dll (Malware.Tool) -> Delete on reboot. C:\WINDOWS\system32\cbXRLbBS.dll (Trojan.Vundo) -> Delete on reboot.

Gypsys Kiss View Member Profile	Jul 7 2008, 12:02 PM Post #7
Member Group: Members Posts: 16 Joined: 30-October 07 Member No.: 166,338	And the HJT log Deckard's System Scanner v20071014.68 Run by user on 2008-07-07 17:54:51 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as user.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:55:04, on 07/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\user\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- End of file - 4646 bytes -- Files created between 2008-06-07 and 2008-07-07 ----------------------------- 2008-07-07 17:39:54 0 d-------- C:\cmdcons 2008-07-07 17:38:57 68096 --a------ C:\WINDOWS\zip.exe 2008-07-07 17:38:57 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-07 17:38:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-07-07 17:38:57 98816 --a------ C:\WINDOWS\sed.exe 2008-07-07 17:38:57 80412 --a------ C:\WINDOWS\grep.exe 2008-07-07 17:38:57 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-07-07 17:38:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-07-07 17:38:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-07-06 11:00:08 0 d-------- C:\Documents and Settings\user\Application Data\Malwarebytes 2008-07-06 10:59:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-06 10:59:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-05 18:18:58 0 d--hs---- C:\FOUND.003 2008-07-05 08:56:28 0 d--hs---- C:\FOUND.002 2008-07-04 17:05:32 0 d-------- C:\Program Files\Trend Micro 2008-06-30 22:55:46 0 d--hs---- C:\FOUND.001 2008-06-30 18:42:55 691545 --a------ C:\WINDOWS\unins000.exe 2008-06-30 18:42:55 2549 --a------ C:\WINDOWS\unins000.dat 2008-06-30 18:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy <SPYBOT~1> 2008-06-28 00:50:23 7639 --a------ C:\WINDOWS\extend.dat 2008-06-27 21:38:51 0 d-------- C:\WINDOWS\system32\appmgmt 2008-06-27 21:11:57 0 d-------- C:\Documents and Settings\user\Application Data\LimeWire 2008-06-27 21:02:42 0 d-------- C:\Program Files\LimeWire 2008-06-22 18:09:30 0 d-------- C:\Program Files\MFInstall 2008-06-21 00:29:02 0 d--hs---- C:\WINDOWS\CSC 2008-06-21 00:08:45 0 d-------- C:\Documents and Settings\user\Application Data\Help 2008-06-20 22:58:50 0 d-------- C:\Documents and Settings\user\Contacts 2008-06-20 22:58:10 0 d-------- C:\WINDOWS\system32\DRVSTORE 2008-06-20 22:18:59 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-20 22:18:47 0 d-------- C:\Program Files\Windows Live 2008-06-20 22:18:36 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-20 22:11:54 0 d-------- C:\Documents and Settings\user\Application Data\Adobe 2008-06-19 16:20:18 0 d-------- C:\Documents and Settings\user\Application Data\Google 2008-06-19 16:20:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2008-06-19 16:19:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-06-19 16:19:23 0 d-------- C:\Program Files\Google 2008-06-19 16:18:00 0 d---s---- C:\Documents and Settings\user\UserData 2008-06-14 13:45:48 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System> 2008-06-14 12:53:32 0 d-------- C:\WINDOWS\system32\PreInstall 2008-06-14 12:53:30 0 d--h----- C:\WINDOWS\$hf_mig$ 2008-06-14 10:31:55 0 d-------- C:\WINDOWS\.jagex_cache_32 2008-06-14 10:29:58 0 d-------- C:\WINDOWS\system32\SoftwareDistribution 2008-06-12 18:44:55 0 d-------- C:\Documents and Settings\user\Application Data\Macromedia 2008-06-12 17:13:51 0 d-------- C:\Program Files\Alwil Software 2008-06-10 17:01:59 543712 -ra------ C:\WINDOWS\system32\drivers\ar5211.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter> -- Find3M Report --------------------------------------------------------------- 2008-07-06 11:11:00 5376 -----n--- C:\WINDOWS\system32\antiwpa.dll -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [17/03/2003 18:21] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [17/03/2003 18:20] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/02/2004 11:55] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/02/2004 11:51] "PCTVOICE"="pctspk.exe" [18/07/2002 16:58 C:\WINDOWS\system32\pctspk.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [19/06/2008 16:19] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43] C:\Documents and Settings\user\Start Menu\Programs\Startup\ Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [17/11/1996] Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [17/11/1996] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Wireless-B Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe [21/09/2006 19:35:07] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e56670-49a6-11db-9362-806d6172696f}] AutoRun\command- D:\Setup.exe AutoRun -- End of Deckard's System Scanner: finished at 2008-07-07 17:55:48 ------------ Regards Gypsys Kiss

Thunder View Member Profile	Jul 8 2008, 03:29 AM Post #8
Forum Addict Group: HJT Team Posts: 2,252 Joined: 12-December 05 From: Belgium Member No.: 44,294	Hello Gypsys Kiss, That does look quite a lot better now. Navigate, using Windows Explorer, to and delete the following folders and files if still present: C:\WINDOWS\BMd75705b2.xml <== file If you're having problems removing a file/folder, reboot your Computer once again and try to remove it after reboot. Then, you can remove all used tools and folders created in the process. To remove ComboFix : Go to Start > Run, and copy and paste next command in the field: ComboFix /u Make sure there's a space between Combofix and /u Then press Enter. This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. No more problems meanwhile ? Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ... ----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware. ----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference

Gypsys Kiss View Member Profile	Jul 8 2008, 11:28 AM Post #9
Member Group: Members Posts: 16 Joined: 30-October 07 Member No.: 166,338	Hi Thunder PC is running really well now. Thank you for all your help. With thanks Gypsys Kiss

Thunder

Jul 9 2008, 03:06 AM

Post #10

Forum Addict

Group: HJT Team
Posts: 2,252
Joined: 12-December 05
From: Belgium
Member No.: 44,294

Glad we could help, Gypsys Kiss

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or