Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spyware.cyberlog-x


  • Please log in to reply
15 replies to this topic

#1 StevieM

StevieM

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 16 November 2007 - 08:30 AM

Hi

My pc has been infected with a virus which causes redirection to its website and causes other pages to pop up as random (some are offensive). I cannot remove it even with clearing all temp files, cookies etc. I used my back up pc and came across your website.
I have followed your instructions below:-
1) Cleaned out temp files
2) Ran Ad-Aware several times, it found files in my registry which I hope have been quarantined?
3) Ran SpyBot
4) Ran my anti virus Avast
5) Ran McAfee Stinger
6) Added a firewall
7)Ran HijackThis.......log below

please help cheers Steve

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:08, on 16/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\PROGRA~1\BTHOME~1\HELP\SMARTB~1\BTHelpNotifier.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
G:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [HP Software Update] G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [d4c14f18] rundll32.exe "C:\WINDOWS\System32\sydkyujo.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Win32 Classes -
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c006A736.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7006 bytes

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:24 PM

Posted 25 November 2007 - 01:37 PM

Hello StevieM and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

Edited by Yourhighness, 25 November 2007 - 01:38 PM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 26 November 2007 - 01:39 PM

Hi Johannes

Thanks for response.
I have carried out the tasks required in the preparation guide and below is a new hijackthis log

thanks for your help
Steve

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33:27, on 26/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\svchost.exe
G:\PROGRA~1\MICROS~4\rapimgr.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [d4c14f18] rundll32.exe "C:\WINDOWS\System32\sydkyujo.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Win32 Classes -
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c006A736.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 5710 bytes

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:24 PM

Posted 27 November 2007 - 05:13 AM

Hey Steve,

Please note that you are lacking behind some service packs & updates. You will need to take care of that at a later stage. For now, please do the following:

Step #1

Run HijackThis, press Scan, and put a check mark next to all these entries:

O4 - HKLM\..\Run: [d4c14f18] rundll32.exe "C:\WINDOWS\System32\sydkyujo.dll",b
O16 - DPF: Win32 Classes -


Close all other windows and browsers, and press the Fix Checked button.

Step #2

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #3

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #5

Please post back with the VundoFix log "vundofix.txt", the log from the Kaspersky Onlinescan and the main.txt and the extra.txt from the DSS scan. Thanks.

Edited by Yourhighness, 27 November 2007 - 05:14 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 29 November 2007 - 01:46 PM

Thanks for help so far.

Please see below the vundofix log and a new HijacjThis log (other logs on seperate posts)


VundoFix V6.6.2

Checking Java version...

Sun Java not detected
Scan started at 18:18:54 28/11/2007

Listing files found while scanning....

C:\windows\SYSTEM32\acbeg.ini
C:\windows\SYSTEM32\gebca.dll
C:\windows\SYSTEM32\rqdinnkw.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\acbeg.ini
C:\windows\SYSTEM32\acbeg.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\gebca.dll
C:\windows\SYSTEM32\gebca.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\rqdinnkw.dll
C:\windows\SYSTEM32\rqdinnkw.dll Has been deleted!

Performing Repairs to the registry.
Done!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:24:48, on 28/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\ctfmon.exe
G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
G:\PROGRA~1\MICROS~4\rapimgr.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {334FA082-A58D-46C6-B212-74EDCFAC1F80} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5EC6E847-7997-4740-82B7-473337292592} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {762E6DBB-D6C5-4FFB-8FA6-4ACFD915F429} - C:\WINDOWS\System32\gebca.dll (file missing)
O2 - BHO: (no name) - {9BF6EEBD-0CE8-49AD-B93B-7EBBD4BF8C4A} - (no file)
O2 - BHO: {cb84aeba-0bf2-dbca-bec4-127673ac31f9} - {9f13ca37-6721-4ceb-acbd-2fb0abea48bc} - C:\WINDOWS\System32\hhlowteo.dll (file missing)
O2 - BHO: (no name) - {BD8C2951-3AA1-4B36-9D6B-E52EF2AF4B5E} - C:\Program Files\PLUS!\horevodalC:\WINDOWS\System32\x2\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {C3D2C229-221A-4FC0-B8A8-6CE67CA50DBE} - (no file)
O2 - BHO: (no name) - {E4EDD9AB-44E8-43B1-845B-FD5D882245C1} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {F397DE4B-7E21-4B11-9DC8-2F4FC7A67EE4} - (no file)
O2 - BHO: (no name) - {F5797728-155E-42DC-93AA-2B30C75092C6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c006A736.dat
O20 - Winlogon Notify: hobpyupn - hobpyupn.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7324 bytes



Here is the Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 28, 2007 8:55:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/11/2007
Kaspersky Anti-Virus database records: 467840
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 499568
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 02:10:04

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\mljkigd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\WINDOWS\SYSTEM32\rMa01yy\rMa01yy1065.exe Infected: Trojan-Downloader.Win32.VB.bsp skipped
C:\WINDOWS\SYSTEM32\rev3\revdrive33b.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINDOWS\SYSTEM32\cbxurqr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\WINDOWS\SYSTEM32\rqromlk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\WINDOWS\SYSTEM32\urqpnmm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\WINDOWS\SYSTEM32\ddccyax.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_47c.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temp\mofugclq.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temp\urclqecd.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~DFA4FA.tmp Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007112820071129\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Steve\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\VundoFix Backups\rqdinnkw.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
G:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

Scan process completed.

#6 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 29 November 2007 - 01:48 PM

Here are the DSS main and extra logs

Deckard's System Scanner v20071014.68
Run by Steve on 2007-11-29 18:37:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; disk is full.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Steve.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:36, on 29/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\ctfmon.exe
G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\MICROS~4\rapimgr.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\dss.exe
C:\DOCUME~1\Steve\Desktop\HIJACK~1\Steve.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {334FA082-A58D-46C6-B212-74EDCFAC1F80} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5EC6E847-7997-4740-82B7-473337292592} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {762E6DBB-D6C5-4FFB-8FA6-4ACFD915F429} - C:\WINDOWS\System32\gebca.dll (file missing)
O2 - BHO: (no name) - {9BF6EEBD-0CE8-49AD-B93B-7EBBD4BF8C4A} - (no file)
O2 - BHO: {cb84aeba-0bf2-dbca-bec4-127673ac31f9} - {9f13ca37-6721-4ceb-acbd-2fb0abea48bc} - C:\WINDOWS\System32\hhlowteo.dll (file missing)
O2 - BHO: (no name) - {BD8C2951-3AA1-4B36-9D6B-E52EF2AF4B5E} - C:\Program Files\PLUS!\horevodalC:\WINDOWS\System32\x2\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {C3D2C229-221A-4FC0-B8A8-6CE67CA50DBE} - (no file)
O2 - BHO: (no name) - {E4EDD9AB-44E8-43B1-845B-FD5D882245C1} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {F397DE4B-7E21-4B11-9DC8-2F4FC7A67EE4} - (no file)
O2 - BHO: (no name) - {F5797728-155E-42DC-93AA-2B30C75092C6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c006A736.dat
O20 - Winlogon Notify: hobpyupn - hobpyupn.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7310 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Steve\Desktop\HIJACK~1\backups\) ------

backup-20071128-181534-615 O4 - HKLM\..\Run: [d4c14f18] rundll32.exe "C:\WINDOWS\System32\sydkyujo.dll",b
backup-20071128-181534-533 O16 - DPF: Win32 Classes -

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,7
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\migicons.exe,6


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 ANVIOCTL - c:\windows\system32\drivers\anvioctl.sys <Not Verified; ASUSTeK; ASUS VGA Driver for NT>
R1 ANVOSDNT (ASUS Keyboard Filter Driver) - c:\windows\system32\drivers\anvosdnt.sys <Not Verified; ASUS; ASUS keyboard filter driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-28 20:50:02 258 --a------ C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job
2007-11-28 20:00:54 350 --a------ C:\WINDOWS\Tasks\At21.job
2007-11-28 19:01:56 350 --a------ C:\WINDOWS\Tasks\At20.job
2007-11-25 09:01:50 350 --a------ C:\WINDOWS\Tasks\At10.job
2007-11-24 16:01:48 350 --a------ C:\WINDOWS\Tasks\At17.job
2007-11-24 11:01:48 350 --a------ C:\WINDOWS\Tasks\At12.job
2007-11-24 10:01:56 350 --a------ C:\WINDOWS\Tasks\At11.job
2007-11-17 18:02:04 350 --a------ C:\WINDOWS\Tasks\At19.job
2007-11-17 17:01:54 350 --a------ C:\WINDOWS\Tasks\At18.job
2007-11-16 14:01:54 350 --a------ C:\WINDOWS\Tasks\At15.job
2007-11-16 13:01:58 350 --a------ C:\WINDOWS\Tasks\At14.job
2007-11-16 12:00:48 350 --a------ C:\WINDOWS\Tasks\At13.job
2007-11-16 08:02:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2007-11-14 15:00:46 350 --a------ C:\WINDOWS\Tasks\At16.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At8.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At7.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At6.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At5.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At4.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At3.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At24.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At23.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At22.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At2.job
2007-11-14 10:04:58 350 --a------ C:\WINDOWS\Tasks\At1.job
2007-11-07 19:00:02 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job


-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-28 18:30:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-28 18:30:08 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2007-11-28 18:18:54 0 d-------- C:\VundoFix Backups
2007-11-17 16:20:11 0 dr-h----- C:\Documents and Settings\Steve\Recent
2007-11-16 12:48:20 60496 --a------ C:\WINDOWS\System32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-11-16 12:48:19 21075 --a------ C:\WINDOWS\System32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-11-16 12:48:09 0 d-------- C:\Program Files\Sygate
2007-11-14 10:10:56 0 d-------- C:\Documents and Settings\Steve\Application Data\Lavasoft
2007-11-14 10:04:55 27200 --a------ C:\WINDOWS\System32\M3BqWtij.exe
2007-11-14 08:42:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-14 07:20:17 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2007-11-14 07:20:17 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-14 07:20:17 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-14 07:20:17 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-14 07:20:17 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-11-13 17:55:38 3160 --a------ C:\WINDOWS\System32\tmp.reg
2007-11-13 17:51:38 0 d-------- C:\Documents and Settings\Steve\Application Data\Grisoft
2007-11-13 17:51:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 10:31:22 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-11-11 07:55:14 88128 --a------ C:\WINDOWS\System32\sydkyujo.dll
2007-11-11 07:48:56 0 d--hs---- C:\FOUND.001
2007-11-10 17:22:51 0 d-------- C:\Program Files\WinAble
2007-11-10 17:20:17 36352 --a------ C:\WINDOWS\System32\ddccyax.dll
2007-11-10 17:19:13 36352 --a------ C:\WINDOWS\System32\urqpnmm.dll
2007-11-10 17:18:55 36352 --a------ C:\WINDOWS\System32\rqromlk.dll
2007-11-10 17:17:45 0 d-------- C:\Program Files\Temporary
2007-11-10 17:15:19 36352 --a------ C:\WINDOWS\System32\cbxurqr.dll
2007-11-10 17:14:45 0 d-------- C:\WINDOWS\System32\rev3
2007-11-10 17:14:34 0 d-------- C:\WINDOWS\System32\x2
2007-11-10 17:14:34 0 d-------- C:\WINDOWS\System32\dn5
2007-11-10 17:14:21 0 d-------- C:\WINDOWS\System32\rMa01yy
2007-11-10 17:14:21 0 d-------- C:\Temp
2007-11-10 17:14:19 36352 --a------ C:\WINDOWS\System32\mljkigd.dll


-- Find3M Report ---------------------------------------------------------------

2007-10-22 08:55:42 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-10-22 08:55:42 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2007-10-19 15:15:02 0 d-------- C:\Documents and Settings\Steve\Application Data\Motive
2007-10-18 15:48:24 0 d-------- C:\Documents and Settings\Steve\Application Data\WinRAR
2007-10-13 18:27:04 0 d-------- C:\Program Files\JustZIPit
2007-10-07 11:18:30 2528 --a------ C:\Documents and Settings\Steve\Application Data\$_hpcst$.hpc
2007-09-22 20:44:36 286720 --a------ C:\WINDOWS\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{334FA082-A58D-46C6-B212-74EDCFAC1F80}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EC6E847-7997-4740-82B7-473337292592}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{762E6DBB-D6C5-4FFB-8FA6-4ACFD915F429}]
C:\WINDOWS\System32\gebca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BF6EEBD-0CE8-49AD-B93B-7EBBD4BF8C4A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9f13ca37-6721-4ceb-acbd-2fb0abea48bc}]
C:\WINDOWS\System32\hhlowteo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD8C2951-3AA1-4B36-9D6B-E52EF2AF4B5E}]
C:\Program Files\PLUS!\horevodalC:\WINDOWS\System32\x2\jumper83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3D2C229-221A-4FC0-B8A8-6CE67CA50DBE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4EDD9AB-44E8-43B1-845B-FD5D882245C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F397DE4B-7E21-4B11-9DC8-2F4FC7A67EE4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5797728-155E-42DC-93AA-2B30C75092C6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [18/11/2001 21:12 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="NvQTwk" []
"anvshell"="anvshell.exe" [28/01/2002 11:12 C:\WINDOWS\anvshell.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [12/04/2005 10:11]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [08/12/2003 17:35]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [29/12/2005 11:22]
"avast!"="G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 11:06]
"SideWinderTrayV4"="G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe" [28/06/2000 14:34]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15/10/2004 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [29/08/2002 02:41]
"Reminder"="G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE" [12/11/1997 00:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [20/08/2002 15:08]
"eyeBeam SIP Client"="" []
"H/PC Connection Agent"="G:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [13/11/2006 13:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hobpyupn]
hobpyupn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\__c006A736.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\gebca.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme




-- End of Deckard's System Scanner: finished at 2007-11-29 18:39:14 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 767.47 MiB / 530.29 MiB
Pagefile Memory (total/avail): 1878.7 MiB / 1652.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1954.38 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 31.48 GiB total, 5.37 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 86.65 GiB total, 56.39 GiB free.
G: is Fixed (FAT32) - 30.9 GiB total, 20.24 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1600JB-22REA0 - 149.05 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 31.49 GiB - C:
\PARTITION1 - Unknown - 30.91 GiB - G:
\PARTITION2 - Installable File System - 86.65 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Steve\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=STEVE
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Steve
LOGONSERVER=\\STEVE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$p$g
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Steve\LOCALS~1\Temp
TMP=C:\DOCUME~1\Steve\LOCALS~1\Temp
USERDOMAIN=STEVE
USERNAME=Steve
USERPROFILE=C:\Documents and Settings\Steve
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Steve (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT
--> C:\PROGRA~1\BTHOME~1\HELP\Uninstall.exe btbb
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2006 Easton Shaft Selector --> G:\PROGRA~1\EASTON~1\2006SH~1\UNWISE.EXE G:\PROGRA~1\EASTON~1\2006SH~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}
ASUS Display Drivers --> C:\WINDOWS\anvunis.exe
avast! Antivirus --> rundll32 G:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Spyware 7.5 --> G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Britannica CD 99 Multimedia Edition --> C:\WINDOWS\IsUninst.exe -f"G:\Program Files\Britannica\BCD\bcd99mm.isu"
BT Broadband Desktop Help --> C:\WINDOWS\Motive\btbb\MCCUninst.exe
BT Home Hub --> C:\Program Files\BT Home Hub\Uninstall.exe
BT Wireless Connection Manager --> C:\Program Files\Common Files\Motive\InstallHelper.exe /dir=C:\Program Files\Common Files\Motive /uninstallvendor=btbb_wcm /uninstallkey=BT Wireless Connection Manager
BT Yahoo! Applications --> C:\PROGRA~1\YAHOO!\COMMON\uninstall.exe
CCleaner (remove only) --> "G:\Program Files\CCleaner\uninst.exe"
CfgEdit 1.4 --> G:\Program Files\CfgEdit\Uninstal.exe
CorelDRAW 10 --> C:\WINDOWS\Corel\uninst32.exe
CorelDRAW 10 --> MsiExec.exe /I{9E50DEC9-081B-441F-B647-98DBEA8B01DD}
Data Lifeguard Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
DVD Shrink 3.2 --> "G:\Program Files\DVD Shrink\unins000.exe"
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
EditVoicepack --> MsiExec.exe /I{1EC65D1D-3911-4F7D-8B6A-63C69EDBFC6E}
FDC Update Version 1.6 --> G:\PROGRA~1\FDC\UNWISE.EXE G:\PROGRA~1\FDC\INSTALL.LOG
FlightDeck Companion --> G:\PROGRA~1\FDC\UNWISE.EXE G:\PROGRA~1\FDC\INSTALL.LOG
FSHotSFX 1.1 Full --> MsiExec.exe /I{F5CF3B24-CF7F-4B77-B7E3-446046714AF2}
Ground Environment Professional --> G:\Program Files\Flight One Software\GEProUninstal.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Steve\Desktop\HiJackThis\HijackThis.exe" /uninstall
HP Document Viewer 5.3 --> G:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Image Zone 5.3 --> G:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.3 --> G:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "G:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> G:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -K -INTELUNINST
Just Flight A340 Professional FS2004 v1.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F236C19-D294-4CA0-B572-279BEC99B1C4}\setup.exe" -l0x9
Just Flight VFR Photographic Scenery: C & S England v1.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{120D1E14-8131-4F0B-B3EF-E80D6EA0EDB0}\setup.exe"
Just Flight VFR Photographic Scenery: E & SE England v1.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41C91D54-F0D5-4C55-AC7B-066FD8883136}\setup.exe"
Just Flight VFR Photographic Scenery: Northern England v1.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B84CCA2-64D8-4B5E-98E8-40B3CB250CB6}\setup.exe"
Just Flight VFR Photographic Scenery: Wales & SW England v1.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4527537F-535B-47A5-9835-9644B56E71B4}\setup.exe"
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LAGO TerraMesh CD2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2F9329A-68DF-4633-A161-42016FBEB7C1}\Setup.exe" -l0x9
LAGO TMS CD1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{00B1859D-1846-467A-A488-99427DB9F294}\Setup.exe" -l0x9
LG ODD Auto Firmware Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6179550A-3E7C-499E-BCC9-9E8113E0A285}\Setup.exe"
Memory-Map OS Edition Version 5 --> MsiExec.exe /X{42B5BD69-7AF4-41D6-AC8C-896B1570DFD0}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft DirectX Transform optional components --> RUNDLL32.EXE ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\DXTXTRA.INF,UNINSTALL.NT,12
Microsoft Flight Simulator 2004 A Century of Flight --> "C:\Program Files\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Money 98 --> G:\Program Files\Microsoft Money\setup\SETUP.EXE
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PCI Audio Applications --> C:\Program Files\PCI Audio Applications\Bin\Uninstall.exe
PCI Audio Driver --> cmuninst.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime 3.0 --> C:\WINDOWS\uninst.exe -f"g:\Program Files\QuickTime\DeIsL1.isu" -c"C:\WINDOWS\System32\QTUninst.dll
Real Airports --> C:\DOCUME~1\Steve\Desktop\afcads\dups\FLIGHT~1\Setup.exe /remove /q0
Remove UK2000 Part 1 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 1\irunin.ini
Remove UK2000 Part 2 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 2\irunin.ini
Remove UK2000 Part 3 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 3\irunin.ini
Remove UK2000 Part 4 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 4\irunin.ini
Remove UK2000 Part 5 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 5\irunin.ini
Remove UK2000 Part 6 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part 6\irunin.ini
Remove UK2000 Part7 files --> C:\WINDOWS\iun506.exe C:\Program Files\Microsoft Games\Flight Simulator 9\uk2000 scenery\UK2000 Part7\irunin.ini
Seletar Airport AFCAD v1 for FS2004 --> C:\Documents and Settings\Steve\Desktop\afcads\singa\Uninstal.exe
SideWinder Force Feedback 2 --> C:\WINDOWS\IsUninst.exe -f"G:\Program Files\Microsoft Hardware\Game Controllers\Force Feedback 2\Uninst.isu" -c"G:\Program Files\Microsoft Hardware\Game Controllers\Force Feedback 2\Uninstall.dll"
SopCore 1.1.2 --> G:\Program Files\SopCast\uninst.exe
Spybot - Search & Destroy --> "G:\Program Files\Spybot - Search & Destroy\unins000.exe"
SquawkBox 3 --> F:\flight sim 9\squawkbox\sbuninstall.exe SquawkBox 3
Super Flight Planner 3.0.3 --> "G:\Program Files\Central Park\Sfp\unins000.exe"
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TVUPlayer 2.3.0.0 --> G:\Program Files\TVUPlayer\uninst.exe
UKRoute Version 2.0 --> C:\WINDOWS\iun506.exe G:\Program Files\UKRoute Version 2.0\irunin.ini
Virtual E6-B 1.4 --> C:\WINDOWS\st6unst.exe -n "g:\program files\e6-b\ST6UNST.LOG"
vroute.info --> rundll32.exe dfshim.dll,ShArpMaintain vroute.info.application, Culture=en, PublicKeyToken=5accc01de4247373, processorArchitecture=msil
Windows XP Uninstall --> %SYSTEMROOT%\system32\osuninst.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type739 / Error
Event Submitted/Written: 11/24/2007 11:15:09 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type737 / Error
Event Submitted/Written: 11/24/2007 10:46:01 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type729 / Error
Event Submitted/Written: 11/16/2007 01:13:21 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.0.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type724 / Error
Event Submitted/Written: 11/16/2007 09:11:09 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application mixer.exe, version 1.4.5.0, faulting module , version 0.0.0.0, fault address 0x00000000.

Event Record #/Type723 / Error
Event Submitted/Written: 11/16/2007 09:01:38 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application fwupdate.exe, version 1.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9554 / Error
Event Submitted/Written: 11/29/2007 06:35:39 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Sygate Personal Firewall service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type9538 / Error
Event Submitted/Written: 11/29/2007 06:35:39 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type9533 / Error
Event Submitted/Written: 11/28/2007 06:24:53 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Sygate Personal Firewall service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type9517 / Error
Event Submitted/Written: 11/28/2007 06:24:53 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type9508 / Error
Event Submitted/Written: 11/28/2007 06:14:26 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Sygate Personal Firewall service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2007-11-29 18:39:14 ------------

#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:24 PM

Posted 29 November 2007 - 03:06 PM

Hey StieveM,

Step #1

Please download ComboFix from here.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.)
  • Close any open browsers
Next, please:
  • open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\SYSTEM32\mljkigd.dll
    C:\WINDOWS\SYSTEM32\rev3\revdrive33b.exe
    C:\WINDOWS\SYSTEM32\cbxurqr.dll
    C:\WINDOWS\SYSTEM32\rqromlk.dll
    C:\WINDOWS\SYSTEM32\urqpnmm.dll
    C:\WINDOWS\SYSTEM32\ddccyax.dll
    C:\WINDOWS\System32\gebca.dll
    C:\WINDOWS\System32\hhlowteo.dll
    C:\Program Files\PLUS!\horevodal
    C:\WINDOWS\System32\x2\jumper83122.exe.dll
    C:\WINDOWS\System32\__c006A736.dat
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At9.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\System32\M3BqWtij.exe
    C:\WINDOWS\System32\WS2Fix.exe
    C:\WINDOWS\System32\VCCLSID.exe
    C:\WINDOWS\System32\SrchSTS.exe
    C:\WINDOWS\System32\Process.exe
    C:\WINDOWS\System32\dumphive.exe
    C:\WINDOWS\System32\tmp.reg
    C:\FOUND.001
    C:\WINDOWS\System32\ddccyax.dll
    C:\WINDOWS\System32\urqpnmm.dll
    C:\WINDOWS\System32\rqromlk.dll
    C:\WINDOWS\System32\cbxurqr.dll
    C:\WINDOWS\System32\mljkigd.dll
    C:\WINDOWS\System32\gebca.dll
    
    Folder::
    C:\WINDOWS\SYSTEM32\rMa01yy
    C:\Documents and Settings\Steve\Desktop\SmitfraudFix
    C:\VundoFix Backups
    C:\WINDOWS\System32\rev3
    C:\WINDOWS\System32\x2
    C:\WINDOWS\System32\dn5
    C:\WINDOWS\System32\rMa01yy
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{334FA082-A58D-46C6-B212-74EDCFAC1F80}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EC6E847-7997-4740-82B7-473337292592}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{762E6DBB-D6C5-4FFB-8FA6-4ACFD915F429}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BF6EEBD-0CE8-49AD-B93B-7EBBD4BF8C4A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb84aeba-0bf2-dbca-bec4-127673ac31f9}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9f13ca37-6721-4ceb-acbd-2fb0abea48bc}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD8C2951-3AA1-4B36-9D6B-E52EF2AF4B5E}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3D2C229-221A-4FC0-B8A8-6CE67CA50DBE}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4EDD9AB-44E8-43B1-845B-FD5D882245C1}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F397DE4B-7E21-4B11-9DC8-2F4FC7A67EE4}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5797728-155E-42DC-93AA-2B30C75092C6}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hobpyupn]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=-
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{334FA082-A58D-46C6-B212-74EDCFAC1F80}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EC6E847-7997-4740-82B7-473337292592}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{762E6DBB-D6C5-4FFB-8FA6-4ACFD915F429}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BF6EEBD-0CE8-49AD-B93B-7EBBD4BF8C4A}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

Please post back with a fresh HijackThis log and the ComboFix log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 30 November 2007 - 08:44 AM

Below are the combofix log and a ne highjackthis log. Please note that no zip file (Submit [Date Time].zip was created following my combofix running so could not add any links.

ComboFix 07-11-19.4C - Steve 2007-11-30 13:30:13.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.528 [GMT 0:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt

FILE
C:\FOUND.001
C:\Program Files\PLUS!\horevodal
C:\WINDOWS\System32\__c006A736.dat
C:\WINDOWS\SYSTEM32\cbxurqr.dll
C:\WINDOWS\System32\cbxurqr.dll
C:\WINDOWS\System32\ddccyax.dll
C:\WINDOWS\SYSTEM32\ddccyax.dll
C:\WINDOWS\System32\dumphive.exe
C:\WINDOWS\System32\gebca.dll
C:\WINDOWS\System32\hhlowteo.dll
C:\WINDOWS\System32\M3BqWtij.exe
C:\WINDOWS\SYSTEM32\mljkigd.dll
C:\WINDOWS\System32\mljkigd.dll
C:\WINDOWS\System32\Process.exe
C:\WINDOWS\SYSTEM32\rev3\revdrive33b.exe
C:\WINDOWS\SYSTEM32\rqromlk.dll
C:\WINDOWS\System32\rqromlk.dll
C:\WINDOWS\System32\SrchSTS.exe
C:\WINDOWS\System32\tmp.reg
C:\WINDOWS\System32\urqpnmm.dll
C:\WINDOWS\SYSTEM32\urqpnmm.dll
C:\WINDOWS\System32\VCCLSID.exe
C:\WINDOWS\System32\WS2Fix.exe
C:\WINDOWS\System32\x2\jumper83122.exe.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Steve\Desktop\SmitfraudFix
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\backups\HKCU_Domains.reg
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\backups\HKCU_Ranges.reg
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\backups\HKLM_Domains.reg
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\backups\HKLM_Ranges.reg
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\dumphive.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\exit.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\GenericRenosFix.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\HostsChk.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\Process.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\Reboot.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\restart.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmitfraudFix.cmd
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmiUpdate.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SrchSTS.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\swreg.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\swsc.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\swxcacls.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\unzip.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\VCCLSID.exe
C:\Documents and Settings\Steve\Desktop\SmitfraudFix\WS2Fix.exe
C:\Documents and Settings\Steve\Favorites\Online Security Guide.lnk
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\VundoFix Backups
C:\VundoFix Backups\acbeg.ini.bad
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\gebca.dll.bad
C:\VundoFix Backups\rqdinnkw.dll.bad
C:\WINDOWS\cookies.ini
C:\WINDOWS\start.exe
C:\WINDOWS\System32\cbxurqr.dll
C:\WINDOWS\SYSTEM32\ddccyax.dll
C:\WINDOWS\System32\dn5
C:\WINDOWS\System32\dumphive.exe
C:\WINDOWS\System32\M3BqWtij.exe
C:\WINDOWS\System32\mljkigd.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\System32\Process.exe
C:\WINDOWS\System32\rev3
C:\WINDOWS\SYSTEM32\rev3\revdrive33b.exe
C:\WINDOWS\SYSTEM32\rMa01yy
C:\WINDOWS\System32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\SYSTEM32\rqromlk.dll
C:\WINDOWS\System32\SrchSTS.exe
C:\WINDOWS\System32\tmp.reg
C:\WINDOWS\SYSTEM32\urqpnmm.dll
C:\WINDOWS\System32\VCCLSID.exe
C:\WINDOWS\System32\WS2Fix.exe
C:\WINDOWS\System32\x2
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-28 18:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-28 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 12:48 <DIR> d-------- C:\Program Files\Sygate
2007-11-16 12:48 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-11-16 12:48 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-11-16 12:48 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-11-14 10:10 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Lavasoft
2007-11-14 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 17:51 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Grisoft
2007-11-13 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 17:51 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-19 15:15 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Motive
2007-10-13 18:27 <DIR> d-------- C:\Program Files\JustZIPit
2007-10-07 10:04 29,696 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2007-10-07 10:04 29,696 --------- C:\WINDOWS\SYSTEM32\dllcache\rndismpx.sys
2007-10-07 10:04 12,032 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2007-10-07 10:04 12,032 --------- C:\WINDOWS\SYSTEM32\dllcache\usb8023x.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 07:55 88,128 ----a-w C:\WINDOWS\SYSTEM32\sydkyujo.dll
2007-10-22 08:55 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-22 08:55 286,720 ------w C:\WINDOWS\Setup1.exe
2007-09-22 20:44 286,720 ----a-w C:\WINDOWS\iun506.exe
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-08-03 08:14 92,608 ----a-w C:\Documents and Settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
2007-05-26 11:02 266 --sha-w C:\Program Files\desktop.ini
2007-05-26 11:02 11,079 ---ha-w C:\Program Files\folder.htt
2004-10-01 15:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-05-26 15:20 61 --sh--w C:\WINDOWS\cnerolf.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 02:41]
"Reminder"="G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE" [1997-11-12 00:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"eyeBeam SIP Client"="" []
"H/PC Connection Agent"="G:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-11-18 21:12 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="RUNDLL32.exe" [2001-11-18 21:12 C:\WINDOWS\SYSTEM32\rundll32.exe]
"anvshell"="anvshell.exe" [2002-01-28 11:12 C:\WINDOWS\anvshell.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2005-04-12 10:11]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 11:22]
"avast!"="G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SideWinderTrayV4"="G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 14:34]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 02:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\System32\DRIVERS\anvioctl.sys
R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\anvosdnt.sys
R3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\System32\DRIVERS\GcKernel.sys
R3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\System32\DRIVERS\HIDSwvd.sys
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 19:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-11-29 18:50:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 13:33:25
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 13:34:30 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:22, on 30/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\ctfmon.exe
G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
G:\PROGRA~1\MICROS~4\rapimgr.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 6433 bytes

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:24 PM

Posted 01 December 2007 - 01:10 PM

Hey StievieM,

looking a bit better already. Apollogies for the zip file confusion. That was my fault :thumbsup: . There should be a zip file in this fix though.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    http://www.bleepingcomputer.com/forums/t/116782/infected-with-spywarecyberlog-x/?p=674489
    
    File::
    C:\WINDOWS\SYSTEM32\sydkyujo.dll
    
    Collect::[1]
    C:\WINDOWS\iun506.exe
    C:\WINDOWS\cnerolf.dat
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Please post back with a fresh HijackThis log, the ComboFix log and the log from the Kaspersky Onlinescan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 03 December 2007 - 02:50 AM

Hello

Again thanks for helping, all this is far to deep for me. People like me have to put our complete trust in your expertise.

Anyway here are the latest logs:-

ComboFix 07-11-19.4C - Steve 2007-12-02 18:26:50.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.485 [GMT 0:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt

FILE
C:\WINDOWS\SYSTEM32\sydkyujo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cnerolf.dat
C:\WINDOWS\iun506.exe
C:\WINDOWS\SYSTEM32\sydkyujo.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-11-29 18:35 <DIR> d-------- C:\Deckard
2007-11-28 18:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-28 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 12:48 <DIR> d-------- C:\Program Files\Sygate
2007-11-16 12:48 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-11-16 12:48 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-11-14 10:10 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Lavasoft
2007-11-14 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 17:51 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Grisoft
2007-11-13 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 17:51 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-11 07:48 <DIR> d--hs---- C:\FOUND.001
2007-11-10 17:14 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 08:55 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-22 08:55 286,720 ------w C:\WINDOWS\Setup1.exe
2007-10-19 15:15 --------- d-----w C:\Documents and Settings\Steve\Application Data\Motive
2007-10-13 18:27 --------- d-----w C:\Program Files\JustZIPit
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-08-03 08:14 92,608 ----a-w C:\Documents and Settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
2007-05-26 11:02 266 --sha-w C:\Program Files\desktop.ini
2007-05-26 11:02 11,079 ---ha-w C:\Program Files\folder.htt
2004-10-01 15:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-30_13.33.50.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 10:57:12 163,328 ----a-w C:\WINDOWS\ERDNT\subs\F3M\ERDNT.EXE
- 2007-11-29 18:54:28 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2007-11-30 18:22:26 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2007-11-29 18:54:28 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-30 18:22:26 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-29 18:54:28 65,536 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-30 18:22:26 65,536 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-30 13:33:16 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_520.dat
+ 2007-12-02 18:29:44 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_520.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 02:41]
"Reminder"="G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE" [1997-11-12 00:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"eyeBeam SIP Client"="" []
"H/PC Connection Agent"="G:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-11-18 21:12 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="RUNDLL32.exe" [2001-11-18 21:12 C:\WINDOWS\SYSTEM32\rundll32.exe]
"anvshell"="anvshell.exe" [2002-01-28 11:12 C:\WINDOWS\anvshell.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2005-04-12 10:11]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 11:22]
"avast!"="G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SideWinderTrayV4"="G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 14:34]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 02:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\System32\DRIVERS\anvioctl.sys
R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\anvosdnt.sys
R3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\System32\DRIVERS\GcKernel.sys
R3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\System32\DRIVERS\HIDSwvd.sys
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 19:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-12-01 16:50:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 18:29:53
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 18:30:57 - machine was rebooted
.
--- E O F ---




Below is hopefully the lnk that you require? If its not correct please let me know.


C:\Documents and Settings\Steve\Desktop.\[1]-Submit_2007-12-02@18.26.zip

#11 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 03 December 2007 - 02:52 AM

Below are the new Kapersky log and HijackThis log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 02, 2007 9:02:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/12/2007
Kaspersky Anti-Virus database records: 470462
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 499783
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 02:18:28

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_520.dat Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~DF7210.tmp Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007120220071203\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Desktop\System Protection\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve\Desktop\System Protection\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Steve\Desktop\System Protection\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Steve\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Steve\LOCALS~1\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Steve\LOCALS~1\Temp\mofugclq.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Steve\LOCALS~1\Temp\urclqecd.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\qoobox\Quarantine\C\Documents and Settings\Steve\Desktop\SmitfraudFix\Reboot.exe.vir Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\qoobox\Quarantine\C\VundoFix Backups\rqdinnkw.dll.bad.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\rev3\revdrive33b.exe.vir Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\rMa01yy\rMa01yy1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bsp skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cbxurqr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ddccyax.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\mljkigd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\rqromlk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\urqpnmm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
G:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:03:06, on 02/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\ctfmon.exe
G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
G:\PROGRA~1\MICROS~4\rapimgr.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 6473 bytes

#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:24 PM

Posted 04 December 2007 - 02:33 AM

Hey StevieM,

Below is hopefully the lnk that you require? If its not correct please let me know.

I am not entirely sure what you mean. What was meant with the zip file is this:

Posted Image

So the path: C:\Documents and Settings\Steve\Desktop.\[1]-Submit_2007-12-02@18.26.zip

should be pasted into that textbox and then click "send file". The file will then be submitted to us. So as long as you did that, we will receive the file :thumbsup: .

Step #1

Please delete this folder:

C:\Documents and Settings\Steve\Desktop\SmitfraudFix

Step #2
  • Now please navigate to: Start >> Run...
  • Type: Combofix /u and hit Enter
  • This will delete:
    • \Qoobox
    • \VundoFix Backups
    • \Deckard
    • \_OTMoveIt
    • %systemroot%\erdnt\subs
  • Also resets System Restore, re-hides system & hidden files, resets system clock and last but not least, hides the file extensions of known filetypes
Step #3

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Please post back with the fresh Kaspersky Onlinescan log and a fresh HijackThis log. Thanks.

Edited by Yourhighness, 04 December 2007 - 02:34 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 05 December 2007 - 04:00 PM

Hi

Sorry about confusion with the zip file. I had done what was required and submitted the file as stated so it should be ok.

Below are the latest logs you require:-


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 8:55:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/12/2007
Kaspersky Anti-Virus database records: 473271
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 499795
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:18:48

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{DCDD74BE-CCBE-4C4F-85E7-FDBEC24707C8}\RP1\change.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_52c.dat Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~DFDF1B.tmp Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007120520071206\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
G:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56:00, on 05/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\ctfmon.exe
G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
G:\PROGRA~1\MICROS~4\rapimgr.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] G:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] G:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 6639 bytes

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:24 PM

Posted 06 December 2007 - 12:32 AM

Hey StevieM,

looking good. Just a few final words.

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools cannot access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
I recommend you regularly visit the Windows Update Site , you are lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 StevieM

StevieM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 06 December 2007 - 01:51 PM

I really can't thank you enough.

It really is good to know that for every bad guy out there, there are more good guys willing to help.

A question I have to ask is why do you do this? I am glad you do I'm just curious as sadly not many people give their time and effort for free these days.

Finally I hope you have a good and happy Christmas and New Year.

Thanks again
Steve




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users