Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection


  • Please log in to reply
7 replies to this topic

#1 marchin23

marchin23

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 09 November 2007 - 02:26 PM

I receive a yellow balloon in the bottom right of my screen stating that my computer is infected. Either system alert or security alert. Then, IE windows will start popping up with different antispyware downloads for me to use. Obviously I havent clicked on any of them and I know they are the virus. I just want to get rid of them. I have run AVS, Spybot, Adaware, Antispyware, etc. With no results. I could really use some help with this. Listed below is my current HJT log. Any help would be greatly appreciated. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\administrator.BC\Desktop\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {331401de-6a1a-43ab-8ccf-4b90460d7939} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dfvayxls.dll
O2 - BHO: (no name) - {E0BC9A8A-91D7-4408-92B7-C1C285C502EC} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\dfvayxls.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [f02c6bab] rundll32.exe "C:\WINDOWS\system32\ajqrekqq.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C86F808-EDD2-4E5D-9C4F-E0D1ADA859AF} (Web Conferencing) - http://server.mymeetingcentral.com/join_a.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\Software\..\Telephony: DomainName = BC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O20 - Winlogon Notify: dfvayxls - C:\WINDOWS\SYSTEM32\dfvayxls.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7643 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 09 November 2007 - 06:25 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum marchin23 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 marchin23

marchin23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 10 November 2007 - 04:40 PM

Richie,
I really appreciate the help and your quick response. Here are the two logs you asked for starting with the combofix log.

ComboFix 07-11-08.3 - Administrator 2007-11-10 14:11:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT -8:00]Running from: C:\Documents and Settings\administrator.BC\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\administrator.BC\Desktop\Live Safety Center.lnk
C:\Documents and Settings\administrator.BC\Desktop\Online Security Guide.lnk
C:\Documents and Settings\administrator.BC\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\wes\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\wes\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\wes\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\WINDOWS\system32\dfvayxls.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-10 14:01 <DIR> d-------- C:\HJT
2007-11-09 10:47 <DIR> d-------- C:\Documents and Settings\wes\Application Data\Grisoft
2007-11-07 13:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-07 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 11:33 <DIR> d-------- C:\Documents and Settings\administrator.BC\Application Data\Grisoft
2007-11-07 11:33 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-06 10:48 <DIR> d-------- C:\Documents and Settings\wes\Application Data\SUPERAntiSpyware.com
2007-11-06 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-05 10:59 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-05 10:59 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-05 10:59 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-05 10:59 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-05 10:59 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-02 10:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 10:07 <DIR> d-------- C:\Deckard
2007-10-31 13:25 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-31 13:25 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-10-31 13:25 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-31 13:25 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-31 13:25 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-31 13:25 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-31 13:25 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-31 13:25 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-31 12:08 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-10-31 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-31 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-31 08:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-31 08:08 <DIR> d-------- C:\Documents and Settings\administrator.BC\Application Data\SUPERAntiSpyware.com
2007-10-31 07:49 <DIR> d-------- C:\Program Files\CCleaner
2007-10-30 17:14 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-10-30 13:31 94,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-30 13:27 <DIR> d-------- C:\Documents and Settings\administrator.BC\.housecall6.6
2007-10-30 08:55 1,152 --a------ C:\WINDOWS\SYSTEM32\windrv.sys
2007-10-30 08:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-30 08:47 420,364 --ahs---- C:\WINDOWS\SYSTEM32\rstwa.ini2
2007-10-30 08:34 2,794 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-30 07:29 340,032 --a------ C:\WINDOWS\SYSTEM32\dfvayxls.dll
2007-10-30 07:28 340,032 --a------ C:\WINDOWS\SYSTEM32\qsxlnmjd.dll
2007-10-29 13:32 589 --a------ C:\WINDOWS\SYSTEM32\epgnrowt.dll
2007-10-29 10:49 589 --a------ C:\WINDOWS\SYSTEM32\qgvkxcvw.dll
2007-10-29 10:27 589 --a------ C:\WINDOWS\SYSTEM32\hgjanggs.dll
2007-10-29 10:07 589 --a------ C:\WINDOWS\SYSTEM32\bpypeylq.dll
2007-10-29 08:22 589 --a------ C:\WINDOWS\SYSTEM32\aoemmnjy.dll
2007-10-29 08:02 589 --a------ C:\WINDOWS\SYSTEM32\ecvmfgkb.dll
2007-10-29 07:24 589 --a------ C:\WINDOWS\SYSTEM32\daymslsj.dll
2007-10-26 13:40 410,103 --ahs---- C:\WINDOWS\SYSTEM32\rstwa.bak2
2007-10-26 13:23 <DIR> d--hs---- C:\WINDOWS\VG9ueSBOZXd0b24
2007-10-26 13:23 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-26 13:22 294,668 --a------ C:\WINDOWS\frexup2.exe
2007-10-26 13:22 13,824 --a------ C:\WINDOWS\plite731.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 18:52 --------- d-----w C:\Documents and Settings\wes\Application Data\AdobeUM
2007-11-07 20:45 --------- d-----w C:\Program Files\Java
2007-11-06 18:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 23:28 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-31 23:27 --------- d-----w C:\Program Files\QuickTime
2007-10-31 23:21 --------- d-----w C:\Program Files\iTunes
2007-10-31 23:21 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-31 23:21 --------- d-----w C:\Program Files\DellSupport
2007-10-31 23:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 15:46 --------- d-----w C:\Program Files\Viewpoint
2007-10-31 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-29 18:52 --------- d-----w C:\Program Files\Bodog Poker
2007-10-29 18:20 --------- d-----w C:\Program Files\omniformat
2007-10-29 17:12 10 ----a-w C:\Program Files\.autoreg
2007-10-29 15:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-25 01:56 --------- d-----w C:\Program Files\Google
2007-10-25 01:54 --------- d-----w C:\Program Files\BetZip
2007-10-17 01:17 --------- d-----w C:\Program Files\UltimateBet
2007-09-27 20:59 --------- d-----w C:\Documents and Settings\roger\Application Data\AdobeUM
2007-09-14 18:30 --------- d-----w C:\Documents and Settings\roger\Application Data\GTek
2007-09-14 18:29 --------- d-----w C:\Documents and Settings\roger\Application Data\Talkback
2007-09-12 23:13 --------- d-----w C:\Program Files\Absolute Poker
2007-08-22 12:55 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 23:34 3,584,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-14 02:54 413,696 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2007-08-14 02:54 413,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2007-08-14 02:54 33,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-08-14 02:54 191,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-08-14 02:54 156,160 ----a-w C:\WINDOWS\SYSTEM32\msls31.dll
2007-08-14 02:54 156,160 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msls31.dll
2007-08-14 02:45 78,336 ----a-w C:\WINDOWS\SYSTEM32\ieencode.dll
2007-08-14 02:45 78,336 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieencode.dll
2007-08-14 02:44 69,120 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-08-14 02:44 40,960 ----a-w C:\WINDOWS\SYSTEM32\licmgr10.dll
2007-08-14 02:44 40,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\licmgr10.dll
2007-08-14 02:42 17,408 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\corpol.dll
2007-08-14 02:39 92,672 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-08-14 02:39 71,680 ----a-w C:\WINDOWS\SYSTEM32\admparse.dll
2007-08-14 02:39 71,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\admparse.dll
2007-08-14 02:39 55,296 ----a-w C:\WINDOWS\SYSTEM32\iesetup.dll
2007-08-14 02:39 55,296 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iesetup.dll
2007-08-14 02:38 491,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-08-14 02:36 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-14 02:36 36,352 ----a-w C:\WINDOWS\SYSTEM32\imgutil.dll
2007-08-14 02:36 36,352 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\imgutil.dll
2007-08-14 02:35 346,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-08-14 02:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\mshta.exe
2007-08-14 02:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshta.exe
2007-08-14 02:18 60,416 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\hmmapi.dll
2007-08-14 02:01 48,128 ----a-w C:\WINDOWS\SYSTEM32\mshtmler.dll
2007-08-14 02:01 48,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmler.dll
2005-11-03 21:30 483,401 -c--a-w C:\Documents and Settings\paulperez\314_gotomypc.exe
2005-08-17 14:07 483,401 -c--a-w C:\Documents and Settings\chawn\gotomypc.exe
2005-08-11 14:25 483,401 -c--a-w C:\Documents and Settings\paulperez\gotomypc.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_10.34.32.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-09 00:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{331401de-6a1a-43ab-8ccf-4b90460d7939}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-30 07:29 340032 --a------ C:\WINDOWS\system32\dfvayxls.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0BC9A8A-91D7-4408-92B7-C1C285C502EC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\dfvayxls.dll [2007-10-30 07:29 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-10-25 11:48]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 11:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-23 13:54]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"HostManager"="C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe" [2006-04-20 09:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 08:59]
"plite731"="C:\WINDOWS\plite731.exe" [2007-10-26 13:22]
"f02c6bab"="C:\WINDOWS\system32\ajqrekqq.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

C:\Documents and Settings\paulperez\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-08-17 07:00:48]
eFax DllCmd 4.0.lnk - C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe [2005-08-16 08:40:23]
eFax Tray Menu 4.0.lnk - C:\Program Files\eFax Messenger 4.0\J2GTray.exe [2005-08-16 08:40:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfvayxls]
dfvayxls.dll 2007-10-30 07:29 340032 C:\WINDOWS\SYSTEM32\dfvayxls.dll


.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 14:24:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 14:30:10 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-07 11:29
C:\ComboFix3.txt ... 2007-11-02 11:19
.
--- E O F ---


And the HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:35, on 2007-11-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HiJackThis(2).exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {331401de-6a1a-43ab-8ccf-4b90460d7939} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dfvayxls.dll
O2 - BHO: (no name) - {E0BC9A8A-91D7-4408-92B7-C1C285C502EC} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\dfvayxls.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [f02c6bab] rundll32.exe "C:\WINDOWS\system32\ajqrekqq.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1454471165-1563985344-1060284298-1114\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1454471165-1563985344-1060284298-1114\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1454471165-1563985344-1060284298-1120\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1454471165-1563985344-1060284298-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1133\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1134\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1136\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1137\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1138\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1144\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1145\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1149\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1625773084-1345031903-1050162868-1153\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-2011074640-2707549607-1312364994-1006\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe (User '?')
O4 - HKUS\S-1-5-21-2011074640-2707549607-1312364994-1012\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-2011074640-2707549607-1312364994-1013\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'toby')
O4 - HKUS\S-1-5-21-2011074640-2707549607-1312364994-1015\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'roger')
O4 - S-1-5-21-1625773084-1345031903-1050162868-1145 Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User '?')
O4 - S-1-5-21-1625773084-1345031903-1050162868-1145 Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (User '?')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C86F808-EDD2-4E5D-9C4F-E0D1ADA859AF} (Web Conferencing) - http://server.mymeetingcentral.com/join_a.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\Software\..\Telephony: DomainName = BC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O20 - Winlogon Notify: dfvayxls - C:\WINDOWS\SYSTEM32\dfvayxls.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9977 bytes

Again, thank you for your help...

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 10 November 2007 - 07:43 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\frexup2.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\SYSTEM32\rstwa.ini2
C:\WINDOWS\SYSTEM32\dfvayxls.dll
C:\WINDOWS\SYSTEM32\qsxlnmjd.dll
C:\WINDOWS\SYSTEM32\epgnrowt.dll
C:\WINDOWS\SYSTEM32\qgvkxcvw.dll
C:\WINDOWS\SYSTEM32\hgjanggs.dll
C:\WINDOWS\SYSTEM32\bpypeylq.dll
C:\WINDOWS\SYSTEM32\aoemmnjy.dll
C:\WINDOWS\SYSTEM32\ecvmfgkb.dll
C:\WINDOWS\SYSTEM32\daymslsj.dll
C:\WINDOWS\SYSTEM32\rstwa.bak2
C:\WINDOWS\plite731_uninstaller_.bat
Folder::
C:\WINDOWS\VG9ueSBOZXd0b24
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry:
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{331401de-6a1a-43ab-8ccf-4b90460d7939}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0BC9A8A-91D7-4408-92B7-C1C285C502EC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"=-
"f02c6bab"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfvayxls]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 marchin23

marchin23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 12 November 2007 - 01:49 PM

Here are the two logs..

ComboFix 07-11-08.3 - Administrator 2007-11-12 11:15:38.6 - NTFSx86
Running from: C:\Documents and Settings\administrator.BC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\administrator.BC\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\frexup2.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\SYSTEM32\aoemmnjy.dll
C:\WINDOWS\SYSTEM32\bpypeylq.dll
C:\WINDOWS\SYSTEM32\daymslsj.dll
C:\WINDOWS\SYSTEM32\dfvayxls.dll
C:\WINDOWS\SYSTEM32\ecvmfgkb.dll
C:\WINDOWS\SYSTEM32\epgnrowt.dll
C:\WINDOWS\SYSTEM32\hgjanggs.dll
C:\WINDOWS\SYSTEM32\qgvkxcvw.dll
C:\WINDOWS\SYSTEM32\qsxlnmjd.dll
C:\WINDOWS\SYSTEM32\rstwa.bak2
C:\WINDOWS\SYSTEM32\rstwa.ini2
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\administrator.BC\Desktop\Live Safety Center.lnk
C:\Documents and Settings\administrator.BC\Desktop\Online Security Guide.lnk
C:\Documents and Settings\administrator.BC\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Program Files\Viewpoint
C:\WINDOWS\frexup2.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\SYSTEM32\aoemmnjy.dll
C:\WINDOWS\SYSTEM32\bpypeylq.dll
C:\WINDOWS\SYSTEM32\daymslsj.dll
C:\WINDOWS\SYSTEM32\dfvayxls.dll
C:\WINDOWS\system32\dfvayxls.dllbox
C:\WINDOWS\SYSTEM32\ecvmfgkb.dll
C:\WINDOWS\SYSTEM32\epgnrowt.dll
C:\WINDOWS\SYSTEM32\hgjanggs.dll
C:\WINDOWS\SYSTEM32\qgvkxcvw.dll
C:\WINDOWS\SYSTEM32\qsxlnmjd.dll
C:\WINDOWS\SYSTEM32\rstwa.bak2
C:\WINDOWS\SYSTEM32\rstwa.ini2
C:\WINDOWS\VG9ueSBOZXd0b24

.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-10 14:01 <DIR> d-------- C:\HJT
2007-11-09 10:47 <DIR> d-------- C:\Documents and Settings\wes\Application Data\Grisoft
2007-11-07 13:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-07 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 11:33 <DIR> d-------- C:\Documents and Settings\administrator.BC\Application Data\Grisoft
2007-11-07 11:33 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-06 10:48 <DIR> d-------- C:\Documents and Settings\wes\Application Data\SUPERAntiSpyware.com
2007-11-06 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-05 10:59 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-05 10:59 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-05 10:59 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-05 10:59 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-05 10:59 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-02 10:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 10:07 <DIR> d-------- C:\Deckard
2007-10-31 13:25 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-31 13:25 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-10-31 13:25 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-31 13:25 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-31 13:25 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-31 13:25 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-31 13:25 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-31 13:25 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-31 12:08 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-10-31 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-31 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-31 08:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-31 08:08 <DIR> d-------- C:\Documents and Settings\administrator.BC\Application Data\SUPERAntiSpyware.com
2007-10-31 07:49 <DIR> d-------- C:\Program Files\CCleaner
2007-10-30 17:14 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-10-30 13:31 94,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-30 13:27 <DIR> d-------- C:\Documents and Settings\administrator.BC\.housecall6.6
2007-10-30 08:55 1,152 --a------ C:\WINDOWS\SYSTEM32\windrv.sys
2007-10-30 08:54 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-10-30 08:34 2,794 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-30 07:29 340,032 --------- C:\WINDOWS\SYSTEM32\dfvayxls.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 18:52 --------- d-----w C:\Documents and Settings\wes\Application Data\AdobeUM
2007-11-07 20:45 --------- d-----w C:\Program Files\Java
2007-11-06 18:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 23:28 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-31 23:27 --------- d-----w C:\Program Files\QuickTime
2007-10-31 23:21 --------- d-----w C:\Program Files\iTunes
2007-10-31 23:21 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-31 23:21 --------- d-----w C:\Program Files\DellSupport
2007-10-31 23:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 18:52 --------- d-----w C:\Program Files\Bodog Poker
2007-10-29 18:20 --------- d-----w C:\Program Files\omniformat
2007-10-29 17:12 10 ----a-w C:\Program Files\.autoreg
2007-10-29 15:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-25 01:56 --------- d-----w C:\Program Files\Google
2007-10-25 01:54 --------- d-----w C:\Program Files\BetZip
2007-10-17 01:17 --------- d-----w C:\Program Files\UltimateBet
2007-09-27 20:59 --------- d-----w C:\Documents and Settings\roger\Application Data\AdobeUM
2007-09-14 18:30 --------- d-----w C:\Documents and Settings\roger\Application Data\GTek
2007-09-14 18:29 --------- d-----w C:\Documents and Settings\roger\Application Data\Talkback
2007-09-12 23:13 --------- d-----w C:\Program Files\Absolute Poker
2007-08-22 12:55 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 23:34 3,584,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-14 02:54 413,696 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2007-08-14 02:54 413,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2007-08-14 02:54 33,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-08-14 02:54 191,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-08-14 02:54 156,160 ----a-w C:\WINDOWS\SYSTEM32\msls31.dll
2007-08-14 02:54 156,160 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msls31.dll
2007-08-14 02:45 78,336 ----a-w C:\WINDOWS\SYSTEM32\ieencode.dll
2007-08-14 02:45 78,336 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieencode.dll
2007-08-14 02:44 69,120 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-08-14 02:44 40,960 ----a-w C:\WINDOWS\SYSTEM32\licmgr10.dll
2007-08-14 02:44 40,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\licmgr10.dll
2007-08-14 02:42 17,408 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\corpol.dll
2007-08-14 02:39 92,672 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-08-14 02:39 71,680 ----a-w C:\WINDOWS\SYSTEM32\admparse.dll
2007-08-14 02:39 71,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\admparse.dll
2007-08-14 02:39 55,296 ----a-w C:\WINDOWS\SYSTEM32\iesetup.dll
2007-08-14 02:39 55,296 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iesetup.dll
2007-08-14 02:38 491,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-08-14 02:36 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-14 02:36 36,352 ----a-w C:\WINDOWS\SYSTEM32\imgutil.dll
2007-08-14 02:36 36,352 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\imgutil.dll
2007-08-14 02:35 346,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-08-14 02:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\mshta.exe
2007-08-14 02:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshta.exe
2007-08-14 02:18 60,416 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\hmmapi.dll
2007-08-14 02:01 48,128 ----a-w C:\WINDOWS\SYSTEM32\mshtmler.dll
2007-08-14 02:01 48,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmler.dll
2005-11-03 21:30 483,401 -c--a-w C:\Documents and Settings\paulperez\314_gotomypc.exe
2005-08-17 14:07 483,401 -c--a-w C:\Documents and Settings\chawn\gotomypc.exe
2005-08-11 14:25 483,401 -c--a-w C:\Documents and Settings\paulperez\gotomypc.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_10.34.32.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-09 00:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{331401de-6a1a-43ab-8ccf-4b90460d7939}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-12 11:25 340032 --------- C:\WINDOWS\system32\dfvayxls.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0BC9A8A-91D7-4408-92B7-C1C285C502EC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\dfvayxls.dll [2007-11-12 11:25 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-10-25 11:48]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 11:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-23 13:54]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"HostManager"="C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe" [2006-04-20 09:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 08:59]
"plite731"="C:\WINDOWS\plite731.exe" []
"f02c6bab"="C:\WINDOWS\system32\ajqrekqq.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

C:\Documents and Settings\paulperez\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-08-17 07:00:48]
eFax DllCmd 4.0.lnk - C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe [2005-08-16 08:40:23]
eFax Tray Menu 4.0.lnk - C:\Program Files\eFax Messenger 4.0\J2GTray.exe [2005-08-16 08:40:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfvayxls]
dfvayxls.dll 2007-11-12 11:25 340032 C:\WINDOWS\SYSTEM32\dfvayxls.dll


.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 11:29:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 11:35:44 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-10 14:30
C:\ComboFix3.txt ... 2007-11-07 11:29
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43, on 2007-11-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HiJackThis(2).exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {331401de-6a1a-43ab-8ccf-4b90460d7939} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dfvayxls.dll
O2 - BHO: (no name) - {E0BC9A8A-91D7-4408-92B7-C1C285C502EC} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\dfvayxls.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [f02c6bab] rundll32.exe "C:\WINDOWS\system32\ajqrekqq.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C86F808-EDD2-4E5D-9C4F-E0D1ADA859AF} (Web Conferencing) - http://server.mymeetingcentral.com/join_a.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\Software\..\Telephony: DomainName = BC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O20 - Winlogon Notify: dfvayxls - C:\WINDOWS\SYSTEM32\dfvayxls.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7161 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 12 November 2007 - 05:02 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\dfvayxls.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {331401de-6a1a-43ab-8ccf-4b90460d7939} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\dfvayxls.dll
O2 - BHO: (no name) - {E0BC9A8A-91D7-4408-92B7-C1C285C502EC} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\dfvayxls.dll
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [f02c6bab] rundll32.exe "C:\WINDOWS\system32\ajqrekqq.dll",b
O20 - Winlogon Notify: dfvayxls - C:\WINDOWS\SYSTEM32\dfvayxls.dll

Exit Hijackthis.

Restart your pc.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 marchin23

marchin23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 13 November 2007 - 12:41 PM

Here are the two new logs.. Thanks.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uxnxcmei

*******************

Script file located at: \??\C:\WINDOWS\system32\hqdowmyb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\dfvayxls.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35, on 2007-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HJT\HiJackThis(2).exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150394361\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C86F808-EDD2-4E5D-9C4F-E0D1ADA859AF} (Web Conferencing) - http://server.mymeetingcentral.com/join_a.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\Software\..\Telephony: DomainName = BC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BC.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{D58F47A8-090C-4D4D-81EA-7A20EFE47389}: NameServer = 192.168.1.209,205.254.224.4,199.201.128.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6432 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 13 November 2007 - 04:12 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users