Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't Know What To Do


  • This topic is locked This topic is locked
7 replies to this topic

#1 funky_beats06

funky_beats06

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 August 2007 - 04:20 AM

iv been having this problem since 1 week.my pc is running slower than ever.i installed ad aware 2007 it detected 33 infected files and cleaned them.but office scan client still detects thousands of files and does not clean them.i ran mcafee stinger too,it detected some 13 and c leaned them.i think my pc got infected becoz of using p2p file sharing clients.there r only about 80 files in my downloaded folder but on scanning it shows that there r 2032 files and they r not hidden files.i ran avast! 4 also but to no avail.heres my hjt log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:42 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
D:\ad aware 07\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\lubjyqwx.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\HDTUNE~1\HDTune.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\TEMP\BN745D.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\OfficeScan Client\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: (no name) - {066A2CDC-319E-4460-BA45-C24562CD51AA} - C:\WINDOWS\system32\ljjgggg.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\cbmmgddp.dll
O2 - BHO: (no name) - {EBD9010D-EEE3-4BB6-A310-7DE19101AD33} - C:\WINDOWS\system32\pmnll.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\ddkhbuje.dll",forkonce
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O20 - Winlogon Notify: ljjgggg - C:\WINDOWS\SYSTEM32\ljjgggg.dll
O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\lubjyqwx.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6098 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 03 August 2007 - 08:07 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum funky_beats06 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop DomainService
sc delete DomainService

Restart your pc.

--------------------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

--------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 August 2007 - 11:57 AM

Hi Richie thnx for ur concern.
i did exactly as u said.but while removing vundos with vundofix,i got an error message:
"Error 75.Path/File Access Error"
then when i clicked on ok ,it continued as u said ,the system rebooted
However ,after doin combofix my pc has become quite fast as it was previously.
But i thnk i shud leave it to u to decide if everythngs fine.
heres the file vundofix.txt:



VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 9:26:51 PM 8/3/2007

Listing files found while scanning....

C:\windows\system32\apjsxdmb.dll
C:\windows\system32\bdcorjjq.exe
C:\WINDOWS\system32\cbmmgddp.dll
C:\windows\system32\cnydsibq.dll
C:\WINDOWS\system32\ddkhbuje.dll
C:\windows\system32\drajeckf.ini
C:\WINDOWS\system32\ejubhkdd.ini
C:\windows\system32\fkcejard.dll
C:\windows\system32\glerdcmd.dll
C:\windows\system32\hrfhbvuq.dll
C:\windows\system32\jbhyindy.dll
C:\WINDOWS\system32\ljjgggg.dll
C:\windows\system32\mxvxraun.dll
C:\WINDOWS\system32\pmnll.dll
C:\windows\system32\reqkjayh.dll
C:\windows\system32\rrxqntpq.dll
C:\windows\system32\shhlwcld.dll

Beginning removal...

Attempting to delete C:\windows\system32\apjsxdmb.dll
C:\windows\system32\apjsxdmb.dll Has been deleted!

Attempting to delete C:\windows\system32\bdcorjjq.exe
C:\windows\system32\bdcorjjq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbmmgddp.dll
C:\WINDOWS\system32\cbmmgddp.dll Has been deleted!

Attempting to delete C:\windows\system32\cnydsibq.dll
C:\windows\system32\cnydsibq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddkhbuje.dll
C:\WINDOWS\system32\ddkhbuje.dll Has been deleted!

Attempting to delete C:\windows\system32\drajeckf.ini
C:\windows\system32\drajeckf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ejubhkdd.ini
C:\WINDOWS\system32\ejubhkdd.ini Has been deleted!

Attempting to delete C:\windows\system32\fkcejard.dll
C:\windows\system32\fkcejard.dll Has been deleted!

Attempting to delete C:\windows\system32\glerdcmd.dll
C:\windows\system32\glerdcmd.dll Has been deleted!

Attempting to delete C:\windows\system32\hrfhbvuq.dll
C:\windows\system32\hrfhbvuq.dll Has been deleted!

Attempting to delete C:\windows\system32\jbhyindy.dll
C:\windows\system32\jbhyindy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjgggg.dll
C:\WINDOWS\system32\ljjgggg.dll Has been deleted!

Attempting to delete C:\windows\system32\mxvxraun.dll
C:\windows\system32\mxvxraun.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pmnll.dll Has been deleted!

Attempting to delete C:\windows\system32\reqkjayh.dll
C:\windows\system32\reqkjayh.dll Has been deleted!

Attempting to delete C:\windows\system32\rrxqntpq.dll
C:\windows\system32\rrxqntpq.dll Has been deleted!

Attempting to delete C:\windows\system32\shhlwcld.dll
C:\windows\system32\shhlwcld.dll Has been deleted!

Performing Repairs to the registry.
Done!




Heres combofix.txt:
ComboFix 07-08-03.5 - "Faiz" 2007-08-03 21:47:07.1 [GMT 5.5:30] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\khfebcc.dll
C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\llnmp.bak2
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\llnmp.ini2
C:\WINDOWS\system32\llnmp.tmp
C:\WINDOWS\system32\tuvwwts.dll


((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))


2007-08-03 21:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 21:41 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-03 21:26 <DIR> d-------- C:\VundoFix Backups
2007-08-02 22:56 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-02 22:56 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-02 22:56 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-02 22:56 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-02 22:56 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-02 22:56 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-02 22:55 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-02 22:55 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-02 22:55 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-02 22:42 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-08-02 22:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-02 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-02 19:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 23:25 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-30 13:19 <DIR> d-------- C:\DOCUME~1\Faiz\APPLIC~1\Sammsoft
2007-07-30 13:18 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2007-07-27 20:26 <DIR> d-------- C:\Program Files\limewire
2007-07-26 13:00 167 --a------ C:\WINDOWS\system32\7596.bat
2007-07-25 16:32 167 --a------ C:\WINDOWS\system32\5258.bat
2007-07-19 13:08 <DIR> d-------- C:\Program Files\HD Tune
2007-07-06 12:49 249 --a------ C:\delunins.bat
2007-07-06 12:44 <DIR> d-------- C:\Program Files\DJ Jukebox
2007-07-06 12:44 <DIR> d-------- C:\Program Files\Common Files\System-G
2007-07-06 12:35 720,896 --a------ C:\WINDOWS\iun6002.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 21:20 --------- d-------- C:\DOCUME~1\Faiz\APPLIC~1\Broadband
2007-08-03 20:08 --------- d-------- C:\DOCUME~1\Faiz\APPLIC~1\LimeWire
2007-08-03 13:21 --------- d-------- C:\Program Files\Trend Micro
2007-07-26 13:00 38413 --a------ C:\WINDOWS\system32\install.exe
2007-07-26 13:00 32768 --a------ C:\WINDOWS\system32\setup9x.exe
2007-07-14 12:55 --------- d-------- C:\Program Files\Sify Broadband
2007-06-27 12:42 --------- d-------- C:\Program Files\NCH Swift Sound
2007-06-27 12:37 21120 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2007-06-27 12:37 --------- d-------- C:\DOCUME~1\Faiz\APPLIC~1\NCH Swift Sound
2007-06-22 14:35 167 --a------ C:\WINDOWS\system32\3620.bat
2007-06-22 14:35 128 --a------ C:\WINDOWS\system32\ps.exe
2007-06-22 14:34 37901 --a------ C:\WINDOWS\system32\app.exe
2007-06-22 14:33 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-06-11 12:37 --------- d-------- C:\Program Files\Yahoo!
2007-06-10 19:15 --------- d-------- C:\DOCUME~1\Faiz\APPLIC~1\Ahead
2007-06-08 20:32 --------- d-------- C:\Program Files\Common Files\Nero
2007-06-08 20:29 --------- d-------- C:\Program Files\Common Files\Ahead
2007-06-08 16:01 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-08 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-06 22:40 --------- d-------- C:\DOCUME~1\Faiz\APPLIC~1\dvdcss
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:59 0 -rahs---- C:\MSDOS.SYS
2007-05-16 15:59 0 -rahs---- C:\IO.SYS
2007-05-16 15:59 0 --a------ C:\CONFIG.SYS
2007-05-16 15:59 0 --a------ C:\AUTOEXEC.BAT
2007-05-16 15:56 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCB8B00C-B18F-4092-9042-372EAE5B7B70}]
C:\WINDOWS\system32\pmnll.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 06:33]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 06:29]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 11:06 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 16:13 C:\WINDOWS\Alcmtr.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-16 16:20]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 16:16]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HD Tune"="C:\PROGRA~1\HDTUNE~1\HDTune.exe" [2007-01-22 02:01]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 21:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\ARO.exe" [2007-07-23 09:34]

R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
S3 GMSIPCI;GMSIPCI;\??\G:\INSTALL\GMSIPCI.SYS
S3 MSICPL;MSICPL;\??\G:\install4\MSICPL.sys
S3 NCHSSVAD;SoundTap Recorder;C:\WINDOWS\system32\drivers\nchssvad.sys
S3 NTACCESS;NTACCESS;\??\G:\NTACCESS.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\G:\NTGLM7X.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6481d5aa-40fd-11dc-9cd8-00804840618b}]
Auto\command- MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 22:03:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-03 22:04:51
C:\ComboFix-quarantined-files.txt ... 2007-08-03 22:04

--- E O F ---





And heres the hjt log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:50 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\HDTUNE~1\HDTune.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\TEMP\GSE191.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BCB8B00C-B18F-4092-9042-372EAE5B7B70} - C:\WINDOWS\system32\pmnll.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 5641 bytes



If everythngs fine plz advise me on maintaining this state.
i feel much better now ,THANK YOU! :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 03 August 2007 - 03:04 PM

You have Avast4 and Trend Micro installed.
Not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall one or the other as soon as possible,then restart your pc.

-------------------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: (no name) - {BCB8B00C-B18F-4092-9042-372EAE5B7B70} - C:\WINDOWS\system32\pmnll.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 04 August 2007 - 02:48 AM

Hi Richie,i did exactly as u said.everything happened smoothly.here's the super antispyware log:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/04/2007 at 12:59 PM

Application Version : 3.9.1008

Core Rules Database Version : 3279
Trace Rules Database Version: 1290

Scan type : Complete Scan
Total Scan Time : 00:25:43

Memory items scanned : 359
Memory threats detected : 0
Registry items scanned : 4880
Registry threats detected : 3
File items scanned : 25156
File threats detected : 190

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32

Adware.Tracking Cookie
C:\Documents and Settings\Faiz\Cookies\faiz@winantivirus[3].txt
C:\Documents and Settings\Faiz\Cookies\faiz@clickjobs[1].txt
C:\Documents and Settings\Faiz\Cookies\faiz@azjmp[1].txt
C:\Documents and Settings\Faiz\Cookies\faiz@try.screensavers[1].txt
C:\Documents and Settings\Faiz\Cookies\faiz@ad.yieldmanager[2].txt
C:\Documents and Settings\Faiz\Cookies\faiz@screensavers[2].txt
C:\Documents and Settings\Faiz\Cookies\faiz@drivecleaner[2].txt
C:\Documents and Settings\Faiz\Cookies\faiz@www.winantiviruspro[1].txt
C:\Documents and Settings\Faiz\Cookies\faiz@stats1.reliablestats[1].txt
C:\Documents and Settings\Faiz\Cookies\faiz@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Faiz\Cookies\faiz@i.screensavers[2].txt
C:\Documents and Settings\Faiz\Cookies\faiz@2o7[1].txt
C:\Documents and Settings\Faiz\Cookies\faiz@ads.adbrite[2].txt
C:\Documents and Settings\Faiz\Cookies\faiz@adserver.softwareonline[2].txt
C:\Documents and Settings\Faiz\Cookies\faiz@crackedwarez[2].txt
C:\Documents and Settings\Faiz\Cookies\faiz@winantivirus[1].txt

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP16\A0008131.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016826.DLL

Trojan.CSRRS/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016510.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016560.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016679.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016774.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016807.EXE

Adware.eZula
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016517.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016519.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016521.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016815.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016821.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016824.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016825.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP26\A0018260.EXE

Unclassified.Svchost
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016727.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP19\A0010961.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016357.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016358.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016359.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016360.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016361.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016362.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016363.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016364.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016365.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016366.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016367.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016368.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016369.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016370.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016371.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016372.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016373.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016374.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016375.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016376.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016377.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016378.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016379.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016380.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016381.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016382.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016383.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016384.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016385.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016386.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016387.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016388.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016389.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016390.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016391.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016392.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016393.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016394.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016395.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016396.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016397.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016398.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016399.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016400.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016401.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016402.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016403.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016404.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016405.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016406.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016407.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016408.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016409.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016410.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016411.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016412.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016413.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016414.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016415.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016416.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016417.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016418.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016419.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016420.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016421.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016422.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016423.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016424.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016425.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016426.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016427.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016428.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016429.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016430.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016431.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016432.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016433.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016434.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016435.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016436.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016437.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016438.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016439.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016440.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016441.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016442.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016443.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016444.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016445.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016446.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016447.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016448.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016449.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016450.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016451.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016452.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016453.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016454.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016455.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016456.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016457.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016458.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016459.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016460.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016461.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016462.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016463.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016464.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016465.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016466.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016467.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016468.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016469.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016470.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016471.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016472.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016473.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016474.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016475.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016476.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016477.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016478.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016479.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016480.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016481.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016482.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016483.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016484.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016485.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016486.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016487.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016488.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016489.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016490.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016491.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016492.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016493.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016494.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016495.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016496.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016497.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016498.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016499.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016500.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016501.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016502.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016503.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016504.EXE
D:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016562.EXE

Trojan.Downloader-Gen/AllowCookie
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP20\A0016819.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP26\A0018262.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP27\A0018305.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP27\A0018306.DLL

Trojan.Downloader-Gen/TStamp
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP26\A0018264.EXE
C:\VUNDOFIX BACKUPS\BDCORJJQ.EXE.BAD

BearShare File Sharing Client
D:\BEARSHARE\BEARSHARE.EXE

Trojan.Update-Mcboo
E:\SYSTEM VOLUME INFORMATION\_RESTORE{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP16\A0006165.EXE





Here's the hjt log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:42 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\HDTUNE~1\HDTune.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\ad aware 07\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{42A62DBC-E86E-411F-A3F3-41B5473FA329}: NameServer = 202.144.115.4,202.144.66.6
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\ad aware 07\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4524 bytes



i hv a question
in ur last post u said its not safe to hv 2 antiviruses installed,but now i hv ad aware 2007 ,avast 4 and super antispyware installed.plz clarify my doubt.


Also my pc is running superfast as if i reformatted it!
THANK YOU ONCE AGAIN! :thumbsup:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 04 August 2007 - 06:59 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
fix.bat
VundoFix.exe
Combofix.exe

C:\VundoFix Backups
C:\QOOBOX

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

--------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 04 August 2007 - 09:47 AM

THNX a million,i feel much relieved now.
bleeping computer is definitely a great site to get ur problems solved.
thnx once again,Richie :thumbsup:

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 04 August 2007 - 10:06 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users