Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am Also Having A Vundo Problem


  • Please log in to reply
11 replies to this topic

#1 Adam Tran

Adam Tran

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 23 October 2007 - 09:20 PM

Hello everyone, I recently have a Trojan Horse Vundo problem (and still battling it now)

So I downloaded the latest version of Java and I have Vundo.exe (but no folder)

So please guide me through this and I shall praise you :thumbsup:

Also I have downloaded HiJackThis, and this is the log file

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:47 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hung Tran\Desktop\VundoFix(2).exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Documents and Settings\Hung Tran\Desktop\HiJackThis_v2.exe
C:\Documents and Settings\Hung Tran\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\maskwmzg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [203d0c55] rundll32.exe "C:\WINDOWS\system32\eximayxp.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Firefly] "C:\Program Files\Firefly 2\Firefly.exe" /autostart
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Stickman Server Stats] C:\DOCUME~1\HUNGTR~1\LOCALS~1\Temp\Rar$EX00.437\Serverstats.exe
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\AOL Downloads\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\AOL Downloads\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\AOL Downloads\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - http://img182.exs.cx/img182/3226/narusig0jd.jpg

--
End of file - 9468 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 24 October 2007 - 03:09 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Adam Tran :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This changed in 2006,read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Adam Tran

Adam Tran
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 24 October 2007 - 03:15 PM

Thank you so much Richie.

Here is the ComboFix log you requested

ComboFix 07-10-24.1 - Hung Tran 2007-10-24 15:20:16.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.161 [GMT -4:00]
Running from: C:\Documents and Settings\Hung Tran\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Hung Tran\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Hung Tran\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Hung Tran\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Hung Tran\My Documents\internet.lnk
C:\Program Files\newdotnet
C:\Program Files\newdotnet\newdotnet7_48.dll
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall7_48.exe
C:\WINDOWS\start.exe
C:\WINDOWS\system32\auto.exe
C:\WINDOWS\system32\maskwmzg.dllbox
C:\WINDOWS\SYSTEM32\tsstv.bak2
C:\WINDOWS\SYSTEM32\tsstv.ini
C:\WINDOWS\system32\vtsst.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-24 15:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 14:56 <DIR> d-------- C:\HJT
2007-10-23 22:02 <DIR> d-------- C:\Program Files\Sun
2007-10-23 21:37 84,544 --a------ C:\WINDOWS\SYSTEM32\eximayxp.dll
2007-10-23 20:49 <DIR> d-------- C:\VundoFix Backups
2007-10-23 06:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-23 06:11 <DIR> d-------- C:\Program Files\Trojan Remover
2007-10-23 06:11 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\Simply Super Software
2007-10-23 06:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-10-23 06:11 162,304 --a------ C:\WINDOWS\SYSTEM32\ztvunrar36.dll
2007-10-23 06:11 153,088 --a------ C:\WINDOWS\SYSTEM32\UNRAR3.dll
2007-10-23 06:11 77,312 --a------ C:\WINDOWS\SYSTEM32\ztvunace26.dll
2007-10-23 06:11 75,264 --a------ C:\WINDOWS\SYSTEM32\unacev2.dll
2007-10-23 06:11 69,632 --a------ C:\WINDOWS\SYSTEM32\ztvcabinet.dll
2007-10-23 06:10 411,929 --a------ C:\WINDOWS\SYSTEM32\tsstv.bak2.ren
2007-10-22 23:18 <DIR> d-------- C:\Program Files\Avira
2007-10-22 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-22 22:50 <DIR> d--hs---- C:\FOUND.002
2007-10-22 21:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 00:59 340,032 --a------ C:\WINDOWS\SYSTEM32\svtvsfrq.dll
2007-10-22 00:59 340,032 --------- C:\WINDOWS\SYSTEM32\maskwmzg.dll
2007-10-21 12:57 409,682 --a------ C:\WINDOWS\SYSTEM32\tsstv.bak1.ren
2007-10-21 12:56 411,058 --ahs---- C:\WINDOWS\SYSTEM32\tsstv.ini.ren
2007-10-21 12:51 34,304 --------- C:\WINDOWS\SYSTEM32\rqronmj.dll
2007-10-20 17:35 <DIR> d--hs---- C:\FOUND.001
2007-10-18 16:21 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\acccore
2007-10-18 16:18 <DIR> d-------- C:\Program Files\AIM6
2007-10-16 17:42 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\IceChat
2007-10-16 17:35 <DIR> d-------- C:\Program Files\IceChat7
2007-10-16 17:35 143,360 --a------ C:\WINDOWS\SYSTEM32\unzip32.dll
2007-10-15 18:24 <DIR> d-------- C:\Program Files\TalkShoe
2007-10-09 17:35 582,656 --------- C:\WINDOWS\SYSTEM32\dllcache\rpcrt4.dll
2007-09-28 22:32 7,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enodpl.sys
2007-09-28 22:32 4,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tandpl.sys
2007-09-28 22:31 <DIR> d-------- C:\Program Files\Ubisoft
2007-09-28 22:16 <DIR> d-------- C:\Program Files\GameSpot
2007-09-28 19:16 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\Talkback
2007-09-25 23:26 28,672 --a------ C:\WINDOWS\SYSTEM32\AVEQT.dll
2007-09-25 23:25 <DIR> d-------- C:\Program Files\MOV to AVI MPEG WMV Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 02:16 5,802 ----a-w C:\Program Files\install.log
2007-09-16 04:28 501,280 ----a-w C:\WINDOWS\SYSTEM32\winsk.scr
2007-09-16 04:28 18,432 ----a-w C:\WINDOWS\ss3unstl.exe
2007-09-16 04:20 --------- d-----w C:\Program Files\Drawing Hand
2007-09-16 02:49 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-09-16 02:48 --------- d-----w C:\Program Files\TGTSoft
2007-09-16 02:27 --------- d-----w C:\Program Files\themexp
2007-09-16 02:27 --------- d-----w C:\Program Files\OneStepSearch
2007-09-11 03:19 84,960 ----a-w C:\Documents and Settings\Hung Tran\Application Data\GDIPFONTCACHEV1.DAT
2007-09-09 23:43 --------- d-----w C:\Program Files\Longtion
2007-09-09 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-09-09 22:10 --------- d-----w C:\Program Files\Animation GIF Wizard
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-26 23:06 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-07-26 23:06 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2002-06-21 10:30 266 --sh--w C:\Program Files\desktop.ini
2002-06-21 10:30 11,079 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-22 01:00 340032 --------- C:\WINDOWS\SYSTEM32\maskwmzg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
2007-10-21 12:51 34304 --------- C:\WINDOWS\SYSTEM32\rqronmj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\SYSTEM32\maskwmzg.dll [2007-10-22 01:00 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Fix-It AV"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2006-02-22 19:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-28 20:58]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-24 22:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-22 23:30]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-09-30 19:38]
"203d0c55"="C:\WINDOWS\system32\eximayxp.dll" [2007-10-23 21:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-01-06 14:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Hide IP Platinum"="C:\Program Files\Hide IP Platinum\hideippla.exe" [2006-09-23 17:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Firefly"="C:\Program Files\Firefly 2\Firefly.exe" [2006-12-07 11:42]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"=C:\AOL Downloads\Messenger\ypager.exe -quiet

C:\Documents and Settings\Hung Tran\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-10-02 19:56:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\SYSTEM32\rqronmj.dll [2007-10-21 12:51 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\maskwmzg]
maskwmzg.dll 2007-10-22 01:00 340032 C:\WINDOWS\SYSTEM32\maskwmzg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtsst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Network Monitor Utility (USB).lnk]
backup=C:\WINDOWS\pss\Belkin Wireless Network Monitor Utility (USB).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CleanSweep Smart Sweep-Internet Sweep.lnk]
backup=C:\WINDOWS\pss\CleanSweep Smart Sweep-Internet Sweep.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Screen Saver Control.lnk]
backup=C:\WINDOWS\pss\Screen Saver Control.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hoadgbw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"C:\Program Files\Microsoft IntelliType Pro\type32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WUSB54Gv4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\AOL Downloads\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yqtunkgz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54Gv4SVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"CTStartup"=C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

R1 ewido security suite driver;ewido security suite driver;\??\C:\Program Files\ewido\security suite\guard.sys
S2 OneStep Search Service;OneStep Search Service;"C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service
S3 EVOLUSB;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\evolusb.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 WUSB54GV4SRV;WUSB54GV4SRV;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-10-24 19:44:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 15:47:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 15:51:29 - machine was rebooted
.
--- E O F ---

And the HiJack (yes I have created the folder like you said:

C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\maskwmzg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F6B1F430-52B5-4478-9FC6-A94F79D423C3} - C:\WINDOWS\SYSTEM32\rqronmj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\maskwmzg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [203d0c55] rundll32.exe "C:\WINDOWS\system32\eximayxp.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Firefly] "C:\Program Files\Firefly 2\Firefly.exe" /autostart
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\AOL Downloads\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\AOL Downloads\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\AOL Downloads\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: maskwmzg - C:\WINDOWS\SYSTEM32\maskwmzg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - http://img182.exs.cx/img182/3226/narusig0jd.jpg

--
End of file - 9602 bytes


Any more steps to follow? :D

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 24 October 2007 - 06:29 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\eximayxp.dll
C:\WINDOWS\SYSTEM32\tsstv.bak2.ren
C:\WINDOWS\SYSTEM32\maskwmzg.dll
C:\WINDOWS\SYSTEM32\tsstv.bak1.ren
C:\WINDOWS\SYSTEM32\tsstv.ini.ren
C:\WINDOWS\SYSTEM32\rqronmj.dll
C:\WINDOWS\SYSTEM32\winsk.scr
C:\WINDOWS\ss3unstl.exe
Folders::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"203d0c55"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\maskwmzg]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hoadgbw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yqtunkgz]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 Adam Tran

Adam Tran
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 24 October 2007 - 07:20 PM

I believe it is fixed but I am unsure...there's no more pop-up messages and I can connect to my messenging systems and such but you decide Richie =D

ComboFix 07-10-24.1 - Hung Tran 2007-10-24 20:00:50.2 - FAT32x86
Running from: C:\Documents and Settings\Hung Tran\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hung Tran\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\ss3unstl.exe
C:\WINDOWS\SYSTEM32\eximayxp.dll
C:\WINDOWS\SYSTEM32\maskwmzg.dll
C:\WINDOWS\SYSTEM32\rqronmj.dll
C:\WINDOWS\SYSTEM32\tsstv.bak1.ren
C:\WINDOWS\SYSTEM32\tsstv.bak2.ren
C:\WINDOWS\SYSTEM32\tsstv.ini.ren
C:\WINDOWS\SYSTEM32\winsk.scr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Hung Tran\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Hung Tran\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Hung Tran\Favorites\Online Security Guide.lnk
C:\WINDOWS\ss3unstl.exe
C:\WINDOWS\SYSTEM32\ayyay.ini
C:\WINDOWS\SYSTEM32\eximayxp.dll
C:\WINDOWS\SYSTEM32\maskwmzg.dll
C:\WINDOWS\system32\maskwmzg.dllbox
C:\WINDOWS\SYSTEM32\rqronmj.dll
C:\WINDOWS\SYSTEM32\tsstv.bak1.ren
C:\WINDOWS\SYSTEM32\tsstv.bak2.ren
C:\WINDOWS\SYSTEM32\tsstv.ini.ren
C:\WINDOWS\SYSTEM32\winsk.scr
C:\WINDOWS\system32\yayya.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-24 15:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 14:56 <DIR> d-------- C:\HJT
2007-10-23 22:02 <DIR> d-------- C:\Program Files\Sun
2007-10-23 20:49 <DIR> d-------- C:\VundoFix Backups
2007-10-23 06:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-23 06:11 <DIR> d-------- C:\Program Files\Trojan Remover
2007-10-23 06:11 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\Simply Super Software
2007-10-23 06:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-10-23 06:11 162,304 --a------ C:\WINDOWS\SYSTEM32\ztvunrar36.dll
2007-10-23 06:11 153,088 --a------ C:\WINDOWS\SYSTEM32\UNRAR3.dll
2007-10-23 06:11 77,312 --a------ C:\WINDOWS\SYSTEM32\ztvunace26.dll
2007-10-23 06:11 75,264 --a------ C:\WINDOWS\SYSTEM32\unacev2.dll
2007-10-23 06:11 69,632 --a------ C:\WINDOWS\SYSTEM32\ztvcabinet.dll
2007-10-22 23:18 <DIR> d-------- C:\Program Files\Avira
2007-10-22 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-22 22:50 <DIR> d--hs---- C:\FOUND.002
2007-10-22 21:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 00:59 340,032 --a------ C:\WINDOWS\SYSTEM32\svtvsfrq.dll
2007-10-20 17:35 <DIR> d--hs---- C:\FOUND.001
2007-10-18 16:21 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\acccore
2007-10-18 16:18 <DIR> d-------- C:\Program Files\AIM6
2007-10-16 17:42 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\IceChat
2007-10-16 17:35 <DIR> d-------- C:\Program Files\IceChat7
2007-10-16 17:35 143,360 --a------ C:\WINDOWS\SYSTEM32\unzip32.dll
2007-10-15 18:24 <DIR> d-------- C:\Program Files\TalkShoe
2007-10-09 17:35 582,656 --------- C:\WINDOWS\SYSTEM32\dllcache\rpcrt4.dll
2007-09-28 22:32 7,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enodpl.sys
2007-09-28 22:32 4,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tandpl.sys
2007-09-28 22:31 <DIR> d-------- C:\Program Files\Ubisoft
2007-09-28 22:16 <DIR> d-------- C:\Program Files\GameSpot
2007-09-28 19:16 <DIR> d-------- C:\Documents and Settings\Hung Tran\Application Data\Talkback
2007-09-25 23:26 28,672 --a------ C:\WINDOWS\SYSTEM32\AVEQT.dll
2007-09-25 23:25 <DIR> d-------- C:\Program Files\MOV to AVI MPEG WMV Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 02:16 5,802 ----a-w C:\Program Files\install.log
2007-09-16 04:20 --------- d-----w C:\Program Files\Drawing Hand
2007-09-16 02:49 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-09-16 02:48 --------- d-----w C:\Program Files\TGTSoft
2007-09-16 02:27 --------- d-----w C:\Program Files\themexp
2007-09-16 02:27 --------- d-----w C:\Program Files\OneStepSearch
2007-09-11 03:19 84,960 ----a-w C:\Documents and Settings\Hung Tran\Application Data\GDIPFONTCACHEV1.DAT
2007-09-09 23:43 --------- d-----w C:\Program Files\Longtion
2007-09-09 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-09-09 22:10 --------- d-----w C:\Program Files\Animation GIF Wizard
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-26 23:06 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-07-26 23:06 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2002-06-21 10:30 266 --sh--w C:\Program Files\desktop.ini
2002-06-21 10:30 11,079 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2007-10-24_15.48.32.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 14:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Fix-It AV"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2006-02-22 19:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-28 20:58]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-24 22:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-22 23:30]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-09-30 19:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-01-06 14:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Hide IP Platinum"="C:\Program Files\Hide IP Platinum\hideippla.exe" [2006-09-23 17:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Firefly"="C:\Program Files\Firefly 2\Firefly.exe" [2006-12-07 11:42]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"=C:\AOL Downloads\Messenger\ypager.exe -quiet

C:\Documents and Settings\Hung Tran\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-10-02 19:56:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Network Monitor Utility (USB).lnk]
backup=C:\WINDOWS\pss\Belkin Wireless Network Monitor Utility (USB).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CleanSweep Smart Sweep-Internet Sweep.lnk]
backup=C:\WINDOWS\pss\CleanSweep Smart Sweep-Internet Sweep.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Screen Saver Control.lnk]
backup=C:\WINDOWS\pss\Screen Saver Control.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"C:\Program Files\Microsoft IntelliType Pro\type32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WUSB54Gv4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\AOL Downloads\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54Gv4SVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"CTStartup"=C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

R1 ewido security suite driver;ewido security suite driver;\??\C:\Program Files\ewido\security suite\guard.sys
S2 OneStep Search Service;OneStep Search Service;"C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service
S3 EVOLUSB;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\evolusb.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 WUSB54GV4SRV;WUSB54GV4SRV;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys

*Newly Created Service* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-10-24 23:44:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 20:09:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 20:13:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-24 15:51
.
--- E O F ---

HiJack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:40 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Firefly 2\Firefly.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\abc.bat.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Firefly] "C:\Program Files\Firefly 2\Firefly.exe" /autostart
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\AOL Downloads\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\AOL Downloads\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\AOL Downloads\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - http://img182.exs.cx/img182/3226/narusig0jd.jpg

--
End of file - 9443 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 24 October 2007 - 07:33 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 Adam Tran

Adam Tran
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 24 October 2007 - 10:56 PM

SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/24/2007 at 10:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3330
Trace Rules Database Version: 1331

Scan type : Complete Scan
Total Scan Time : 01:51:45

Memory items scanned : 456
Memory threats detected : 0
Registry items scanned : 6045
Registry threats detected : 0
File items scanned : 41578
File threats detected : 18

Adware.Tracking Cookie
C:\Documents and Settings\Hung Tran\Cookies\hung_tran@bestsellerantivirus[3].txt
C:\Documents and Settings\Hung Tran\Cookies\hung_tran@revsci[3].txt
C:\Documents and Settings\Hung Tran\Cookies\hung_tran@server.cpmstar[1].txt
C:\Documents and Settings\Hung Tran\Cookies\hung_tran@revsci[2].txt

Adware.WhenU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP26\A0010312.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP26\A0010313.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP26\A0010311.EXE

Spyware.RelevantKnowledge
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP26\A0009019.EXE

Trojan.NewDotNet
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP42\A0021312.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP48\A0024066.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP48\A0024067.EXE
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NEWDOTNET\NEWDOTNET7_48.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NEWDOTNET\UNINSTALL7_48.EXE.VIR

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP42\A0023349.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP42\A0023350.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP42\A0023352.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP42\A0023353.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{53D0C479-FC68-425E-9C9B-501F4E1C8FB4}\RP42\A0023354.EXE


For some reason I could get through to the scanner, but it says it can't download the necessary scanner components




The HiJack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:43 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Firefly] "C:\Program Files\Firefly 2\Firefly.exe" /autostart
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\AOL Downloads\Messenger\ypager.exe -quiet (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\AOL Downloads\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\AOL Downloads\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\AOL Downloads\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - http://img182.exs.cx/img182/3226/narusig0jd.jpg

--
End of file - 9453 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 25 October 2007 - 04:14 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found in the links below,to help you prevent any possible future infections:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 Adam Tran

Adam Tran
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 25 October 2007 - 01:54 PM

thank you so much Richie!!

If I have another problem with my computer I'll make sure I'll come to you :thumbsup:

Do you believe that it is wise that I use Ad-Aware 2007 and AVG Antivirus?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 25 October 2007 - 02:46 PM

You haven't got AVG Antivirus installed :thumbsup:
Posted Image
Posted Image

#11 Adam Tran

Adam Tran
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 25 October 2007 - 06:26 PM

but you know what I mean :thumbsup:

so I should use AVG and Ad-Aware correct?

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 25 October 2007 - 06:29 PM

Yes :thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users