Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Almost All The Steps But Still Got It. Vundo?


  • This topic is locked This topic is locked
17 replies to this topic

#1 Starkster

Starkster

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 10 November 2007 - 06:20 PM

Hi
I picked up something. Making register changes, popups and general problems
I also get a mess at start up say Error Loading C:\windows\syste32\eyhxjnga.dll

So did this in order.
I Adaware SE
I ran Clean-Up
I down loaded Microsoft one care. It removed everything but Vundo K
I updated my Java
I down loaded my microsoft updates
I ran one care again
I ran Vundofix
I deleted one care and ran Roguescanfix but no help.
I than ran spybot it found several other viruses and fixed all but one.
I than ran Hi Jack This (HJT) an old verson
I ran spybot again
I ran stinger
I updated HJT and ran it again.

Here is my HJT log please give me your recommendations.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:19 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\bkgvpxrs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...m/ig/dell?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\tstarkey\LOCALS~1\Temp\{9CD6A1D8-86D7-4897-9ABC-AA2073B2DB77}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [4cb07d28] rundll32.exe "C:\WINDOWS\system32\eyhxjnga.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\bkgvpxrs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5378 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 11 November 2007 - 07:37 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Starkster :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 11 November 2007 - 07:50 PM

Ok, Thank you.

I downloaded Combofix and ran it. Spybot kept asking to allow or disallow. I don't know if that will make a difference also I still have all those others such as stinger, adaware se, as well. Should I delete spybot and rerun combofix?
I didn't see a quarantined-files.txt I did see a log once it was completed that included deleted items. I did not post it here because of your instructions NOT to post the quarantine items. I am not sure if the quarantine items were included on the log or not. Please direct.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 11 November 2007 - 08:04 PM

Spybot kept asking to allow or disallow.

You should allow the changes.

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it later once you're system is clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

Now try the Combofix instructions again.
If its successfull,also do the following:
Go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#5 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 11 November 2007 - 09:33 PM

I went ahead and deleted spybot sd and re-ran combofix. Here is the combofix log






ComboFix 07-11-08.3 - tstarkey 2007-11-11 21:24:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT -5:00]
Running from: C:\Documents and Settings\tstarkey.STARKY-WS1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 14:11 79,936 --a------ C:\WINDOWS\system32\ydwerpxw.dll
2007-11-11 14:08 71,232 --a------ C:\WINDOWS\system32\qckksjrh.exe
2007-11-11 09:26 <DIR> d-------- C:\Program Files\Atari
2007-11-10 18:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 17:45 81,472 --a------ C:\WINDOWS\system32\vnqeamog.dll
2007-11-10 17:42 85,056 --a------ C:\WINDOWS\system32\ressqjwk.dll
2007-11-10 17:36 71,232 --a------ C:\WINDOWS\system32\xmlyifye.exe
2007-11-10 16:54 <DIR> d-------- C:\Documents and Settings\tstarkey.STARKY-WS1\.housecall6.6
2007-11-10 16:45 81,472 --a------ C:\WINDOWS\system32\kifddcpf.dll
2007-11-10 11:59 <DIR> d-------- C:\Program Files\Lucas Learning
2007-11-10 11:56 71,232 --a------ C:\WINDOWS\system32\afdovqpe.exe
2007-11-09 17:54 77,888 --a------ C:\WINDOWS\system32\bflkhokc.dll
2007-11-09 17:51 88,128 --a------ C:\WINDOWS\system32\guuwovet.dll
2007-11-09 17:45 71,232 --a------ C:\WINDOWS\system32\nogkfeaa.exe
2007-11-09 17:15 77,888 --a------ C:\WINDOWS\system32\agigmerh.dll
2007-11-09 17:09 71,232 --a------ C:\WINDOWS\system32\bkgvpxrs.exe
2007-11-09 15:11 77,888 --a------ C:\WINDOWS\system32\obmnrwkd.dll
2007-11-09 15:08 88,128 --a------ C:\WINDOWS\system32\tjiavpwy.dll
2007-11-09 15:02 71,232 --a------ C:\WINDOWS\system32\hsftnexf.exe
2007-11-09 14:51 77,888 --a------ C:\WINDOWS\system32\rdlrabak.dll
2007-11-09 14:48 88,128 --a------ C:\WINDOWS\system32\ssiuxxiq.dll
2007-11-09 14:42 <DIR> d-------- C:\Program Files\QdrModule
2007-11-09 14:42 71,232 --a------ C:\WINDOWS\system32\bnwxxqgw.exe
2007-11-08 21:28 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 21:03 86,080 --a------ C:\WINDOWS\system32\ucclfbta.dll
2007-11-08 21:00 80,448 --a------ C:\WINDOWS\system32\otaujeww.dll
2007-11-08 20:54 71,232 --a------ C:\WINDOWS\system32\oakysnth.exe
2007-11-08 11:28 86,080 --a------ C:\WINDOWS\system32\wijhgidt.dll
2007-11-08 11:25 80,448 --a------ C:\WINDOWS\system32\grqytthv.dll
2007-11-08 11:19 71,232 --a------ C:\WINDOWS\system32\hrhbnvce.exe
2007-11-08 08:50 80,448 --a------ C:\WINDOWS\system32\woqcthae.dll
2007-11-08 08:44 86,080 --a------ C:\WINDOWS\system32\hqcwudpm.dll
2007-11-08 08:41 71,232 --a------ C:\WINDOWS\system32\xhjkgdpw.exe
2007-11-06 20:36 81,472 --a------ C:\WINDOWS\system32\myjrhmwd.dll
2007-11-06 20:30 145,984 --a------ C:\WINDOWS\system32\rseashnq.dll
2007-11-05 20:31 83,008 --a------ C:\WINDOWS\system32\lwrebvqk.dll
2007-11-04 01:38 78,912 --a------ C:\WINDOWS\system32\gbrxytmo.dll
2007-11-02 16:57 <DIR> d-------- C:\Program Files\QuickTime
2007-11-02 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-02 16:56 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-02 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-01 20:50 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-01 20:24 <DIR> d-------- C:\Program Files\ACW
2007-10-30 20:18 <DIR> d-------- C:\VundoFix Backups
2007-10-29 10:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-29 10:27 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-28 15:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-27 07:53 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-26 22:10 <DIR> d--hs---- C:\WINDOWS\dHN0YXJreQ
2007-10-26 22:06 <DIR> d-------- C:\Temp
2007-10-26 22:06 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:04 --------- d-----w C:\Program Files\Citrix
2007-11-12 00:53 --------- d-----w C:\Program Files\Roguescanfix
2007-11-11 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 22:08 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-05-31 18:50 557,056 ----a-w C:\Documents and Settings\tstarkey\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0646465D-AFB3-4478-9D3A-D65DB9DD495D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{104870A3-2861-4FC3-27B5-A5CD56243AC2}]
C:\Program Files\Internet Explorer\qucavomad.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12a6cc30-6f46-45a7-a9e9-20750f3f1db0}]
C:\WINDOWS\system32\ythevpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26DB6FEE-C6D9-4C69-86BD-E67B82FD1E8C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CBA5E79-4A92-459F-89B8-8A4AC53753DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A914D19-505B-42ED-92FA-12A68105A64C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A5C0FDE-A201-447D-85CA-3777005FEAD1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
C:\Program Files\ISM\BndDrive7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F05E5CB-1D22-418D-B2EF-983B95F4EADA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC482556-3046-4405-8885-D03570595DC8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 06:00]
"LanzarL2007"="C:\DOCUME~1\tstarkey\LOCALS~1\Temp\{9CD6A1D8-86D7-4897-9ABC-AA2073B2DB77}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" []
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 16:32]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"4cb07d28"="C:\WINDOWS\system32\eyhxjnga.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2006-06-14 23:11]
"Simple Star PhotoShow Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2006-01-13 16:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"ArtChk"="C:\WINDOWS\system32\artchker.exe" []
"ISMModule8"="C:\Program Files\ISM\ISMModule8.exe" []

C:\Documents and Settings\tstarkey\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-09-25 09:47:12]

C:\Documents and Settings\tstarkey.STARKY-WS1\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-11-11 09:28:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=C:\WINDOWS\pss\Dataviz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
c:\progra~1\mcafee\MCAFEE~1\masalert.exe

R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Loaderw.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 17:05:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 21:25:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 21:26:16
C:\ComboFix2.txt ... 2007-11-11 19:07
.
--- E O F ---

#6 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 11 November 2007 - 09:44 PM

Here is the HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:53 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...m/ig/dell?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0646465D-AFB3-4478-9D3A-D65DB9DD495D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {104870A3-2861-4FC3-27B5-A5CD56243AC2} - C:\Program Files\Internet Explorer\qucavomad.dll (file missing)
O2 - BHO: (no name) - {12a6cc30-6f46-45a7-a9e9-20750f3f1db0} - C:\WINDOWS\system32\ythevpm.dll (file missing)
O2 - BHO: (no name) - {26DB6FEE-C6D9-4C69-86BD-E67B82FD1E8C} - (no file)
O2 - BHO: (no name) - {4CBA5E79-4A92-459F-89B8-8A4AC53753DE} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6A914D19-505B-42ED-92FA-12A68105A64C} - (no file)
O2 - BHO: (no name) - {8A5C0FDE-A201-447D-85CA-3777005FEAD1} - (no file)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: (no name) - {8F05E5CB-1D22-418D-B2EF-983B95F4EADA} - (no file)
O2 - BHO: (no name) - {CC482556-3046-4405-8885-D03570595DC8} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\tstarkey\LOCALS~1\Temp\{9CD6A1D8-86D7-4897-9ABC-AA2073B2DB77}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [4cb07d28] rundll32.exe "C:\WINDOWS\system32\eyhxjnga.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5630 bytes





Please direct

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 12 November 2007 - 04:47 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\ydwerpxw.dll
C:\WINDOWS\system32\qckksjrh.exe
C:\WINDOWS\system32\vnqeamog.dll
C:\WINDOWS\system32\ressqjwk.dll
C:\WINDOWS\system32\xmlyifye.exe
C:\WINDOWS\system32\kifddcpf.dll
C:\WINDOWS\system32\afdovqpe.exe
C:\WINDOWS\system32\bflkhokc.dll
C:\WINDOWS\system32\guuwovet.dll
C:\WINDOWS\system32\nogkfeaa.exe
C:\WINDOWS\system32\agigmerh.dll
C:\WINDOWS\system32\bkgvpxrs.exe
C:\WINDOWS\system32\obmnrwkd.dll
C:\WINDOWS\system32\tjiavpwy.dll
C:\WINDOWS\system32\hsftnexf.exe
C:\WINDOWS\system32\rdlrabak.dll
C:\WINDOWS\system32\ssiuxxiq.dll
C:\WINDOWS\system32\bnwxxqgw.exe
C:\WINDOWS\system32\ucclfbta.dll
C:\WINDOWS\system32\otaujeww.dll
C:\WINDOWS\system32\oakysnth.exe
C:\WINDOWS\system32\wijhgidt.dll
C:\WINDOWS\system32\grqytthv.dll
C:\WINDOWS\system32\hrhbnvce.exe
C:\WINDOWS\system32\woqcthae.dll
C:\WINDOWS\system32\hqcwudpm.dll
C:\WINDOWS\system32\xhjkgdpw.exe
C:\WINDOWS\system32\myjrhmwd.dll
C:\WINDOWS\system32\rseashnq.dll
C:\WINDOWS\system32\lwrebvqk.dll
C:\WINDOWS\system32\gbrxytmo.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\Documents and Settings\tstarkey.STARKY-WS1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
Folder::
C:\Program Files\QdrModule
C:\VundoFix Backups
C:\WINDOWS\dHN0YXJreQ
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0646465D-AFB3-4478-9D3A-D65DB9DD495D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{104870A3-2861-4FC3-27B5-A5CD56243AC2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12a6cc30-6f46-45a7-a9e9-20750f3f1db0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26DB6FEE-C6D9-4C69-86BD-E67B82FD1E8C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CBA5E79-4A92-459F-89B8-8A4AC53753DE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A914D19-505B-42ED-92FA-12A68105A64C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A5C0FDE-A201-447D-85CA-3777005FEAD1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F05E5CB-1D22-418D-B2EF-983B95F4EADA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC482556-3046-4405-8885-D03570595DC8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanzarL2007"=-
"4cb07d28"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArtChk"=-
"ISMModule8"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#8 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 November 2007 - 09:51 AM

It tells me CFScript is misspelled.

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 12 November 2007 - 10:04 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\ydwerpxw.dll
C:\WINDOWS\system32\qckksjrh.exe
C:\WINDOWS\system32\vnqeamog.dll
C:\WINDOWS\system32\ressqjwk.dll
C:\WINDOWS\system32\xmlyifye.exe
C:\WINDOWS\system32\kifddcpf.dll
C:\WINDOWS\system32\afdovqpe.exe
C:\WINDOWS\system32\bflkhokc.dll
C:\WINDOWS\system32\guuwovet.dll
C:\WINDOWS\system32\nogkfeaa.exe
C:\WINDOWS\system32\agigmerh.dll
C:\WINDOWS\system32\bkgvpxrs.exe
C:\WINDOWS\system32\obmnrwkd.dll
C:\WINDOWS\system32\tjiavpwy.dll
C:\WINDOWS\system32\hsftnexf.exe
C:\WINDOWS\system32\rdlrabak.dll
C:\WINDOWS\system32\ssiuxxiq.dll
C:\WINDOWS\system32\bnwxxqgw.exe
C:\WINDOWS\system32\ucclfbta.dll
C:\WINDOWS\system32\otaujeww.dll
C:\WINDOWS\system32\oakysnth.exe
C:\WINDOWS\system32\wijhgidt.dll
C:\WINDOWS\system32\grqytthv.dll
C:\WINDOWS\system32\hrhbnvce.exe
C:\WINDOWS\system32\woqcthae.dll
C:\WINDOWS\system32\hqcwudpm.dll
C:\WINDOWS\system32\xhjkgdpw.exe
C:\WINDOWS\system32\myjrhmwd.dll
C:\WINDOWS\system32\rseashnq.dll
C:\WINDOWS\system32\lwrebvqk.dll
C:\WINDOWS\system32\gbrxytmo.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\Program Files\QdrModule
C:\VundoFix Backups
C:\WINDOWS\dHN0YXJreQ
C:\Documents and Settings\tstarkey.STARKY-WS1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0646465D-AFB3-4478-9D3A-D65DB9DD495D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{104870A3-2861-4FC3-27B5-A5CD56243AC2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12a6cc30-6f46-45a7-a9e9-20750f3f1db0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26DB6FEE-C6D9-4C69-86BD-E67B82FD1E8C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CBA5E79-4A92-459F-89B8-8A4AC53753DE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A914D19-505B-42ED-92FA-12A68105A64C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A5C0FDE-A201-447D-85CA-3777005FEAD1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F05E5CB-1D22-418D-B2EF-983B95F4EADA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC482556-3046-4405-8885-D03570595DC8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanzarL2007"=-
"4cb07d28"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArtChk"=-
"ISMModule8"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]


Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#10 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 November 2007 - 10:15 AM

I re followed the earlier steps and it took here are the logs

ComboFix 07-11-08.3 - tstarkey 2007-11-12 9:53:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.666 [GMT -5:00]
Running from: C:\Documents and Settings\tstarkey.STARKY-WS1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tstarkey.STARKY-WS1\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\tstarkey.STARKY-WS1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\afdovqpe.exe
C:\WINDOWS\system32\agigmerh.dll
C:\WINDOWS\system32\bflkhokc.dll
C:\WINDOWS\system32\bkgvpxrs.exe
C:\WINDOWS\system32\bnwxxqgw.exe
C:\WINDOWS\system32\gbrxytmo.dll
C:\WINDOWS\system32\grqytthv.dll
C:\WINDOWS\system32\guuwovet.dll
C:\WINDOWS\system32\hqcwudpm.dll
C:\WINDOWS\system32\hrhbnvce.exe
C:\WINDOWS\system32\hsftnexf.exe
C:\WINDOWS\system32\kifddcpf.dll
C:\WINDOWS\system32\lwrebvqk.dll
C:\WINDOWS\system32\myjrhmwd.dll
C:\WINDOWS\system32\nogkfeaa.exe
C:\WINDOWS\system32\oakysnth.exe
C:\WINDOWS\system32\obmnrwkd.dll
C:\WINDOWS\system32\otaujeww.dll
C:\WINDOWS\system32\qckksjrh.exe
C:\WINDOWS\system32\rdlrabak.dll
C:\WINDOWS\system32\ressqjwk.dll
C:\WINDOWS\system32\rseashnq.dll
C:\WINDOWS\system32\ssiuxxiq.dll
C:\WINDOWS\system32\tjiavpwy.dll
C:\WINDOWS\system32\ucclfbta.dll
C:\WINDOWS\system32\vnqeamog.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\wijhgidt.dll
C:\WINDOWS\system32\woqcthae.dll
C:\WINDOWS\system32\xhjkgdpw.exe
C:\WINDOWS\system32\xmlyifye.exe
C:\WINDOWS\system32\ydwerpxw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\tstarkey.STARKY-WS1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule9.exe
C:\VundoFix Backups
C:\WINDOWS\dHN0YXJreQ
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\afdovqpe.exe
C:\WINDOWS\system32\agigmerh.dll
C:\WINDOWS\system32\bflkhokc.dll
C:\WINDOWS\system32\bkgvpxrs.exe
C:\WINDOWS\system32\bnwxxqgw.exe
C:\WINDOWS\system32\gbrxytmo.dll
C:\WINDOWS\system32\grqytthv.dll
C:\WINDOWS\system32\guuwovet.dll
C:\WINDOWS\system32\hqcwudpm.dll
C:\WINDOWS\system32\hrhbnvce.exe
C:\WINDOWS\system32\hsftnexf.exe
C:\WINDOWS\system32\kifddcpf.dll
C:\WINDOWS\system32\lwrebvqk.dll
C:\WINDOWS\system32\myjrhmwd.dll
C:\WINDOWS\system32\nogkfeaa.exe
C:\WINDOWS\system32\oakysnth.exe
C:\WINDOWS\system32\obmnrwkd.dll
C:\WINDOWS\system32\otaujeww.dll
C:\WINDOWS\system32\qckksjrh.exe
C:\WINDOWS\system32\rdlrabak.dll
C:\WINDOWS\system32\ressqjwk.dll
C:\WINDOWS\system32\rseashnq.dll
C:\WINDOWS\system32\ssiuxxiq.dll
C:\WINDOWS\system32\tjiavpwy.dll
C:\WINDOWS\system32\ucclfbta.dll
C:\WINDOWS\system32\vnqeamog.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\wijhgidt.dll
C:\WINDOWS\system32\woqcthae.dll
C:\WINDOWS\system32\xhjkgdpw.exe
C:\WINDOWS\system32\xmlyifye.exe
C:\WINDOWS\system32\ydwerpxw.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 09:26 <DIR> d-------- C:\Program Files\Atari
2007-11-10 18:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 16:54 <DIR> d-------- C:\Documents and Settings\tstarkey.STARKY-WS1\.housecall6.6
2007-11-10 11:59 <DIR> d-------- C:\Program Files\Lucas Learning
2007-11-08 21:28 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-02 16:57 <DIR> d-------- C:\Program Files\QuickTime
2007-11-02 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-02 16:56 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-02 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-01 20:24 <DIR> d-------- C:\Program Files\ACW
2007-10-29 10:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-29 10:27 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-28 15:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-27 07:53 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-26 22:06 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:04 --------- d-----w C:\Program Files\Citrix
2007-11-12 00:53 --------- d-----w C:\Program Files\Roguescanfix
2007-11-11 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 22:08 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2006-05-31 18:50 557,056 ----a-w C:\Documents and Settings\tstarkey\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 06:00]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 16:32]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2006-06-14 23:11]
"Simple Star PhotoShow Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2006-01-13 16:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\tstarkey\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-09-25 09:47:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=C:\WINDOWS\pss\Dataviz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
c:\progra~1\mcafee\MCAFEE~1\masalert.exe

R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Loaderw.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 17:05:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 09:56:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 9:58:37 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 21:26
C:\ComboFix3.txt ... 2007-11-11 19:07
.
--- E O F ---











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:53 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...m/ig/dell?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0646465D-AFB3-4478-9D3A-D65DB9DD495D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {104870A3-2861-4FC3-27B5-A5CD56243AC2} - C:\Program Files\Internet Explorer\qucavomad.dll (file missing)
O2 - BHO: (no name) - {12a6cc30-6f46-45a7-a9e9-20750f3f1db0} - C:\WINDOWS\system32\ythevpm.dll (file missing)
O2 - BHO: (no name) - {26DB6FEE-C6D9-4C69-86BD-E67B82FD1E8C} - (no file)
O2 - BHO: (no name) - {4CBA5E79-4A92-459F-89B8-8A4AC53753DE} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6A914D19-505B-42ED-92FA-12A68105A64C} - (no file)
O2 - BHO: (no name) - {8A5C0FDE-A201-447D-85CA-3777005FEAD1} - (no file)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: (no name) - {8F05E5CB-1D22-418D-B2EF-983B95F4EADA} - (no file)
O2 - BHO: (no name) - {CC482556-3046-4405-8885-D03570595DC8} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\tstarkey\LOCALS~1\Temp\{9CD6A1D8-86D7-4897-9ABC-AA2073B2DB77}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [4cb07d28] rundll32.exe "C:\WINDOWS\system32\eyhxjnga.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5630 bytes

#11 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 November 2007 - 10:22 AM

Sorry I posted an old HJT log.
This is the latest Do you still want me to do the OT Move it step?




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:46 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...m/ig/dell?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4424 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 12 November 2007 - 10:28 AM

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download CCleaner to clear your temporary files.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
Uncheck "Cookies" under "Internet Explorer".
If you are running Firefox: , then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click Run Cleaner to run the program.
Caution:
It's not recommended to use the 'Issues' tab as it's known to find legitimate items.
Click Exit once CCleaner has done.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.

Edited by RichieUK, 12 November 2007 - 04:51 PM.

Posted Image
Posted Image

#13 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 November 2007 - 01:27 PM

You said
"Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button."


What is ATF-Cleaner.exe? I can't find it.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 12 November 2007 - 04:52 PM

I've replaced ATF_Cleaner with CCleaner in the steps above.
Posted Image
Posted Image

#15 Starkster

Starkster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 November 2007 - 06:11 PM

I could not find the ATF cleaner so I ran the one I have ran "cleanup.stevengould". Should I run the CCleaner?
Here are the logs

Combofix
ComboFix 07-11-08.3 - tstarkey 2007-11-12 12:42:04.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.660 [GMT -5:00]
Running from: C:\Documents and Settings\tstarkey.STARKY-WS1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 09:26 <DIR> d-------- C:\Program Files\Atari
2007-11-10 18:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 16:54 <DIR> d-------- C:\Documents and Settings\tstarkey.STARKY-WS1\.housecall6.6
2007-11-10 11:59 <DIR> d-------- C:\Program Files\Lucas Learning
2007-11-08 21:28 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-02 16:57 <DIR> d-------- C:\Program Files\QuickTime
2007-11-02 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-02 16:56 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-02 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-01 20:24 <DIR> d-------- C:\Program Files\ACW
2007-10-29 10:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-29 10:27 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-28 15:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-27 07:53 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-26 22:06 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 02:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:04 --------- d-----w C:\Program Files\Citrix
2007-11-12 00:53 --------- d-----w C:\Program Files\Roguescanfix
2007-11-11 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 22:08 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-05-31 18:50 557,056 ----a-w C:\Documents and Settings\tstarkey\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 06:00]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 16:32]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2006-06-14 23:11]
"Simple Star PhotoShow Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2006-01-13 16:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\tstarkey\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-09-25 09:47:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=C:\WINDOWS\pss\Dataviz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
c:\progra~1\mcafee\MCAFEE~1\masalert.exe

R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Loaderw.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 17:05:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 12:43:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 12:43:59
C:\ComboFix2.txt ... 2007-11-12 09:58
C:\ComboFix3.txt ... 2007-11-11 21:26
.
--- E O F ---


Superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/12/2007 at 03:25 PM

Application Version : 3.9.1008

Core Rules Database Version : 3342
Trace Rules Database Version: 1343

Scan type : Quick Scan
Total Scan Time : 00:11:49

Memory items scanned : 342
Memory threats detected : 0
Registry items scanned : 820
Registry threats detected : 97
File items scanned : 11220
File threats detected : 3

Adware.AdSponsor/ISM
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{1ED6A320-8AF3-4f06-868A-9BA95585712E}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}#AppID
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\Implemented Categories
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\InprocServer32
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\InprocServer32#ThreadingModel
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\ProgID
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\TypeLib
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\VersionIndependentProgID
C:\PROGRAM FILES\ISM\BNDDRIVE7.DLL

Malware.VirusBurst
HKCR\TypeLib\{ACF3DAB0-D308-4B7A-BFE3-E6C0FAFEB1E7}
HKCR\TypeLib\{ACF3DAB0-D308-4B7A-BFE3-E6C0FAFEB1E7}\1.0
HKCR\TypeLib\{ACF3DAB0-D308-4B7A-BFE3-E6C0FAFEB1E7}\1.0\0
HKCR\TypeLib\{ACF3DAB0-D308-4B7A-BFE3-E6C0FAFEB1E7}\1.0\0\win32
HKCR\TypeLib\{ACF3DAB0-D308-4B7A-BFE3-E6C0FAFEB1E7}\1.0\FLAGS
HKCR\TypeLib\{ACF3DAB0-D308-4B7A-BFE3-E6C0FAFEB1E7}\1.0\HELPDIR
HKCR\Interface\{02313722-BB43-4C84-80A2-7CEDFC3F8560}
HKCR\Interface\{02313722-BB43-4C84-80A2-7CEDFC3F8560}\ProxyStubClsid
HKCR\Interface\{02313722-BB43-4C84-80A2-7CEDFC3F8560}\ProxyStubClsid32
HKCR\Interface\{02313722-BB43-4C84-80A2-7CEDFC3F8560}\TypeLib
HKCR\Interface\{02313722-BB43-4C84-80A2-7CEDFC3F8560}\TypeLib#Version
HKCR\Interface\{0A03153E-AE2A-47FE-BBA3-3333C0EEEB86}
HKCR\Interface\{0A03153E-AE2A-47FE-BBA3-3333C0EEEB86}\ProxyStubClsid
HKCR\Interface\{0A03153E-AE2A-47FE-BBA3-3333C0EEEB86}\ProxyStubClsid32
HKCR\Interface\{0A03153E-AE2A-47FE-BBA3-3333C0EEEB86}\TypeLib
HKCR\Interface\{0A03153E-AE2A-47FE-BBA3-3333C0EEEB86}\TypeLib#Version
HKCR\Interface\{13854DA2-8414-4007-9693-2B6E6002520E}
HKCR\Interface\{13854DA2-8414-4007-9693-2B6E6002520E}\ProxyStubClsid
HKCR\Interface\{13854DA2-8414-4007-9693-2B6E6002520E}\ProxyStubClsid32
HKCR\Interface\{13854DA2-8414-4007-9693-2B6E6002520E}\TypeLib
HKCR\Interface\{13854DA2-8414-4007-9693-2B6E6002520E}\TypeLib#Version
HKCR\Interface\{1DF2A595-BB53-46D4-9EED-1343E066C2B0}
HKCR\Interface\{1DF2A595-BB53-46D4-9EED-1343E066C2B0}\ProxyStubClsid
HKCR\Interface\{1DF2A595-BB53-46D4-9EED-1343E066C2B0}\ProxyStubClsid32
HKCR\Interface\{1DF2A595-BB53-46D4-9EED-1343E066C2B0}\TypeLib
HKCR\Interface\{1DF2A595-BB53-46D4-9EED-1343E066C2B0}\TypeLib#Version
HKCR\Interface\{21EFA4BF-6BAC-43E9-9465-9DDB4AC2967E}
HKCR\Interface\{21EFA4BF-6BAC-43E9-9465-9DDB4AC2967E}\ProxyStubClsid
HKCR\Interface\{21EFA4BF-6BAC-43E9-9465-9DDB4AC2967E}\ProxyStubClsid32
HKCR\Interface\{21EFA4BF-6BAC-43E9-9465-9DDB4AC2967E}\TypeLib
HKCR\Interface\{21EFA4BF-6BAC-43E9-9465-9DDB4AC2967E}\TypeLib#Version
HKCR\Interface\{2CB87422-057A-4FFC-A518-6A728D6F5F65}
HKCR\Interface\{2CB87422-057A-4FFC-A518-6A728D6F5F65}\ProxyStubClsid
HKCR\Interface\{2CB87422-057A-4FFC-A518-6A728D6F5F65}\ProxyStubClsid32
HKCR\Interface\{2CB87422-057A-4FFC-A518-6A728D6F5F65}\TypeLib
HKCR\Interface\{2CB87422-057A-4FFC-A518-6A728D6F5F65}\TypeLib#Version
HKCR\Interface\{52B75F3F-0016-4002-9A3A-B68BC9501ED1}
HKCR\Interface\{52B75F3F-0016-4002-9A3A-B68BC9501ED1}\ProxyStubClsid
HKCR\Interface\{52B75F3F-0016-4002-9A3A-B68BC9501ED1}\ProxyStubClsid32
HKCR\Interface\{52B75F3F-0016-4002-9A3A-B68BC9501ED1}\TypeLib
HKCR\Interface\{52B75F3F-0016-4002-9A3A-B68BC9501ED1}\TypeLib#Version
HKCR\Interface\{6DDA751B-CA62-41C6-B622-EA4B4C2E51F8}
HKCR\Interface\{6DDA751B-CA62-41C6-B622-EA4B4C2E51F8}\ProxyStubClsid
HKCR\Interface\{6DDA751B-CA62-41C6-B622-EA4B4C2E51F8}\ProxyStubClsid32
HKCR\Interface\{6DDA751B-CA62-41C6-B622-EA4B4C2E51F8}\TypeLib
HKCR\Interface\{6DDA751B-CA62-41C6-B622-EA4B4C2E51F8}\TypeLib#Version
HKCR\Interface\{88BDD61D-AC47-4D9E-A3ED-1CAA575593E6}
HKCR\Interface\{88BDD61D-AC47-4D9E-A3ED-1CAA575593E6}\ProxyStubClsid
HKCR\Interface\{88BDD61D-AC47-4D9E-A3ED-1CAA575593E6}\ProxyStubClsid32
HKCR\Interface\{88BDD61D-AC47-4D9E-A3ED-1CAA575593E6}\TypeLib
HKCR\Interface\{88BDD61D-AC47-4D9E-A3ED-1CAA575593E6}\TypeLib#Version
HKCR\Interface\{A09DFAEF-BFA3-47CA-9479-D7EC79342146}
HKCR\Interface\{A09DFAEF-BFA3-47CA-9479-D7EC79342146}\ProxyStubClsid
HKCR\Interface\{A09DFAEF-BFA3-47CA-9479-D7EC79342146}\ProxyStubClsid32
HKCR\Interface\{A09DFAEF-BFA3-47CA-9479-D7EC79342146}\TypeLib
HKCR\Interface\{A09DFAEF-BFA3-47CA-9479-D7EC79342146}\TypeLib#Version
HKCR\Interface\{B70B489C-F0D5-4DD9-A2BA-9B6DBCF5090A}
HKCR\Interface\{B70B489C-F0D5-4DD9-A2BA-9B6DBCF5090A}\ProxyStubClsid
HKCR\Interface\{B70B489C-F0D5-4DD9-A2BA-9B6DBCF5090A}\ProxyStubClsid32
HKCR\Interface\{B70B489C-F0D5-4DD9-A2BA-9B6DBCF5090A}\TypeLib
HKCR\Interface\{B70B489C-F0D5-4DD9-A2BA-9B6DBCF5090A}\TypeLib#Version
HKCR\Interface\{B889DE48-EC10-4278-B3FF-76FEB7449215}
HKCR\Interface\{B889DE48-EC10-4278-B3FF-76FEB7449215}\ProxyStubClsid
HKCR\Interface\{B889DE48-EC10-4278-B3FF-76FEB7449215}\ProxyStubClsid32
HKCR\Interface\{B889DE48-EC10-4278-B3FF-76FEB7449215}\TypeLib
HKCR\Interface\{B889DE48-EC10-4278-B3FF-76FEB7449215}\TypeLib#Version
HKCR\Interface\{C9CA446E-0484-4647-BBF0-3C129C42047C}
HKCR\Interface\{C9CA446E-0484-4647-BBF0-3C129C42047C}\ProxyStubClsid
HKCR\Interface\{C9CA446E-0484-4647-BBF0-3C129C42047C}\ProxyStubClsid32
HKCR\Interface\{C9CA446E-0484-4647-BBF0-3C129C42047C}\TypeLib
HKCR\Interface\{C9CA446E-0484-4647-BBF0-3C129C42047C}\TypeLib#Version
HKCR\Interface\{D7DE2292-04DD-48FC-B250-5E9BFE6BB959}
HKCR\Interface\{D7DE2292-04DD-48FC-B250-5E9BFE6BB959}\ProxyStubClsid
HKCR\Interface\{D7DE2292-04DD-48FC-B250-5E9BFE6BB959}\ProxyStubClsid32
HKCR\Interface\{D7DE2292-04DD-48FC-B250-5E9BFE6BB959}\TypeLib
HKCR\Interface\{D7DE2292-04DD-48FC-B250-5E9BFE6BB959}\TypeLib#Version
HKCR\Interface\{F9B659A0-6F32-4D69-A7D0-29A0B8CDDC16}
HKCR\Interface\{F9B659A0-6F32-4D69-A7D0-29A0B8CDDC16}\ProxyStubClsid
HKCR\Interface\{F9B659A0-6F32-4D69-A7D0-29A0B8CDDC16}\ProxyStubClsid32
HKCR\Interface\{F9B659A0-6F32-4D69-A7D0-29A0B8CDDC16}\TypeLib
HKCR\Interface\{F9B659A0-6F32-4D69-A7D0-29A0B8CDDC16}\TypeLib#Version
HKCR\Interface\{FA13560C-D18C-4BE6-AE80-EBEFC6E5AD3C}
HKCR\Interface\{FA13560C-D18C-4BE6-AE80-EBEFC6E5AD3C}\ProxyStubClsid
HKCR\Interface\{FA13560C-D18C-4BE6-AE80-EBEFC6E5AD3C}\ProxyStubClsid32
HKCR\Interface\{FA13560C-D18C-4BE6-AE80-EBEFC6E5AD3C}\TypeLib
HKCR\Interface\{FA13560C-D18C-4BE6-AE80-EBEFC6E5AD3C}\TypeLib#Version

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\TSTARKEY\FAVORITES\ONLINE SECURITY TEST.URL
C:\DOCUMENTS AND SETTINGS\TSTARKEY.STARKY-WS1\FAVORITES\ONLINE SECURITY TEST.URL








Moveit results

Move it Results




File/Folder C:\WINDOWS\system32\ydwerpxw.dll not found.
File/Folder C:\WINDOWS\system32\qckksjrh.exe not found.
File/Folder C:\WINDOWS\system32\vnqeamog.dll not found.
File/Folder C:\WINDOWS\system32\ressqjwk.dll not found.
File/Folder C:\WINDOWS\system32\xmlyifye.exe not found.
File/Folder C:\WINDOWS\system32\kifddcpf.dll not found.
File/Folder C:\WINDOWS\system32\afdovqpe.exe not found.
File/Folder C:\WINDOWS\system32\bflkhokc.dll not found.
File/Folder C:\WINDOWS\system32\guuwovet.dll not found.
File/Folder C:\WINDOWS\system32\nogkfeaa.exe not found.
File/Folder C:\WINDOWS\system32\agigmerh.dll not found.
File/Folder C:\WINDOWS\system32\bkgvpxrs.exe not found.
File/Folder C:\WINDOWS\system32\obmnrwkd.dll not found.
File/Folder C:\WINDOWS\system32\tjiavpwy.dll not found.
File/Folder C:\WINDOWS\system32\hsftnexf.exe not found.
File/Folder C:\WINDOWS\system32\rdlrabak.dll not found.
File/Folder C:\WINDOWS\system32\ssiuxxiq.dll not found.
File/Folder C:\WINDOWS\system32\bnwxxqgw.exe not found.
File/Folder C:\WINDOWS\system32\ucclfbta.dll not found.
File/Folder C:\WINDOWS\system32\otaujeww.dll not found.
File/Folder C:\WINDOWS\system32\oakysnth.exe not found.
File/Folder C:\WINDOWS\system32\wijhgidt.dll not found.
File/Folder C:\WINDOWS\system32\grqytthv.dll not found.
File/Folder C:\WINDOWS\system32\hrhbnvce.exe not found.
File/Folder C:\WINDOWS\system32\woqcthae.dll not found.
File/Folder C:\WINDOWS\system32\hqcwudpm.dll not found.
File/Folder C:\WINDOWS\system32\xhjkgdpw.exe not found.
File/Folder C:\WINDOWS\system32\myjrhmwd.dll not found.
File/Folder C:\WINDOWS\system32\rseashnq.dll not found.
File/Folder C:\WINDOWS\system32\lwrebvqk.dll not found.
File/Folder C:\WINDOWS\system32\gbrxytmo.dll not found.
File/Folder C:\WINDOWS\system32\VundoFixSVC.exe not found.
File/Folder C:\WINDOWS\plite731_uninstaller_.bat not found.
File/Folder C:\Program Files\QdrModule not found.
File/Folder C:\VundoFix Backups not found.
File/Folder C:\WINDOWS\dHN0YXJreQ not found.
File/Folder C:\Documents and Settings\tstarkey.STARKY-WS1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe not found.

Created on 11/12/2007 12:34:42


Scanning Report


Scanning Report
Monday, November 12, 2007 16:06:10 - 17:51:32
Computer name: STARKY-WS1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
________________________________________
Result: 4 malware found
HTML/IFrame (virus)
• C:\Program Files\Internet Explorer\rtelekigoc.html (Renamed & Submitted)
Vundo.gen38 (virus)
• C:\WINDOWS\system32\feqgypif.ini (Submitted)
• C:\WINDOWS\system32\tevowuug.ini (Submitted)
W32/Malware.BELZ (virus)
• C:\Program Files\Dell\NicConfigSvc\SVCLauncher.exe (Submitted)
________________________________________
Statistics
Scanned:
• Files: 125376
• System: 4292
• Not scanned: 120
Actions:
• Disinfected: 0
• Renamed: 1
• Deleted: 0
• None: 3
• Submitted: 4
Files not scanned:
x H
________________________________________
Options
Scanning engines:
• F-Secure Libra: 2.4.2, 2007-11-12
• F-Secure AVP: 7.0.171, 2007-11-12
• F-Secure Orion: 1.2.37, 2007-11-12
• F-Secure Blacklight: 1.0.64
• F-Secure Draco: 1.0.35, 0597-150-72
• F-Secure Pegasus: 1.19.0, 2007-10-05
Scanning options:
• Scan all files
• Scan inside archives
• Use Advanced heuristics
________________________________________
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.















HJT log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:12 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...m/ig/dell?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4779 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users