Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Results Redirecting To Different Site


  • Please log in to reply
11 replies to this topic

#1 lubbish

lubbish

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 23 November 2007 - 01:50 PM

Hi there, I have an incredibly frustrating problem that occurs when I perform a search in google. After I search a keyword the results show up as normal but then when I click on one of the result links I am taken to some other page, usually a search page.

Below is my HJT log. Many Thanks



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:52, on 23/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Fajgmuno\skdgrarb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\yayaywv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [elkfytkh] rundll32.exe "C:\Program Files\elkfytkh\iporqlsf.dll",Init
O4 - HKLM\..\Run: [cfmpazen] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\cfmpazen.dll"
O4 - HKLM\..\Run: [zgdudafi] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zgdudafi.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [orihuxqv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\orihuxqv.dll"
O4 - HKLM\..\Run: [klknwlkr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\klknwlkr.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1193de1d17f3d2...ip/RdxIE601.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184022492750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184022487250
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - https://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)
O20 - Winlogon Notify: yayaywv - C:\WINDOWS\SYSTEM32\yayaywv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11200 bytes

BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 02 December 2007 - 10:04 AM

Hi, Wellcome to Bleeping Computer Forums!

My name is Renato Mejias, and I will help you to solve your problems :thumbsup:.

You might want to save this page on your favorites, so you can find it again when you return.

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 lubbish

lubbish
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 02 December 2007 - 03:41 PM

Hello Renato,

I am ready for your help.

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 02 December 2007 - 06:49 PM

Hi, letīs go...

You don't appear to have a software anti-virus running.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors:

- Antivir PersonalEdition Classic
- avast! 4 Home Edition
- AVG

Next,

You don't appear to have a software firewall running

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and instal one of these excellent (and free) products:It is important to note that you should only have one firewall installed at a time.

Next,

Some security programs with active monitoring processes are known to interfere with automatic scanners and can actually prevent HJT fixes from taking effect.

Please turn off or disable Spybot-S&D for the duration of your malware cleanup. It may be the case that this program will automatically restart upon reboot; it will be necessary to repeat these disabling steps as required. Once we have successfully removed all of the malware in your system, it is important that you re-enable it once again to prevent future reinfection.
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.
Next

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK. After the reboot post a new Hijackthis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 lubbish

lubbish
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 03 December 2007 - 07:31 PM

Hello,

I have followed your instructions and my new log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:29:19, on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Llnmhamd\hqfeljhx.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\yayaywv.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [elkfytkh] rundll32.exe "C:\Program Files\elkfytkh\iporqlsf.dll",Init
O4 - HKLM\..\Run: [cfmpazen] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\cfmpazen.dll"
O4 - HKLM\..\Run: [zgdudafi] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zgdudafi.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [orihuxqv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\orihuxqv.dll"
O4 - HKLM\..\Run: [klknwlkr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\klknwlkr.dll"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [qpmncdwr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qpmncdwr.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1193de1d17f3d2...ip/RdxIE601.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184022492750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184022487250
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - https://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)
O20 - Winlogon Notify: yayaywv - yayaywv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 12172 bytes

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 03 December 2007 - 08:48 PM

Please post the contents of C:\vundofix.txt
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 lubbish

lubbish
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 04 December 2007 - 04:13 PM

Hi not sure if it's this you require, let me know if it isn't.

Thanks

VundoFix V6.7.0

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Scan started at 23:45:15 03/12/2007

Listing files found while scanning....

C:\windows\system32\drvdenr.dll

Beginning removal...

Attempting to delete C:\windows\system32\drvdenr.dll
C:\windows\system32\drvdenr.dll Has been deleted!

Performing Repairs to the registry.
Done!

#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 05 December 2007 - 09:01 AM

Hi, letīs go again :thumbsup:.
  • Open a new notepad window
  • Paste the list of files from the quote box below into the notepad window.

    C:\WINDOWS\system32\yayaywv.dll
    C:\Program Files\elkfytkh\iporqlsf.dll
    C:\Documents and Settings\All Users\Application Data\cfmpazen.dll
    C:\Documents and Settings\All Users\Application Data\zgdudafi.dll
    C:\Documents and Settings\All Users\Application Data\orihuxqv.dll
    C:\Documents and Settings\All Users\Application Data\klknwlkr.dll
    C:\Documents and Settings\All Users\Application Data\qpmncdwr.dll

  • Save this as vundofix.vft and Save as type "all files".
  • Double-click VundoFix.exe to run it.
  • Drag vundofix.vft onto the listbox (white box) of VundoFix.
    Posted Image
  • Click the "Remove Vundo" button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Next,

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**


--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review and the VundoFix log (C:\vundofix.txt).
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 lubbish

lubbish
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 05 December 2007 - 04:46 PM

Hello,

When I try to drag the vundofic.vft file into the vundofix window nothing happens if I click remove vundo it says no files to fix vundofix will now close.

Please help.

Thanks

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 05 December 2007 - 09:08 PM

When I try to drag the vundofic.vft file into the vundofix window nothing happens if I click remove vundo it says no files to fix vundofix will now close.

No problem :thumbsup:.

Continue with the ComboFix and post the log.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#11 lubbish

lubbish
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 08 December 2007 - 03:26 AM

Hello,

Here are the logs:

ComboFix 07-12-05.2 - Minh 2007-12-08 8:05:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.620 [GMT 0:00]
Running from: C:\Documents and Settings\Minh\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Minh\Application Data\inst.exe
C:\Documents and Settings\Minh\My Documents\TSKS~1
C:\Documents and Settings\Minh\My Documents\TSKS~1\T?sks\
C:\Program Files\SecCenter
C:\WINDOWS\system32\vgfddwtv
C:\WINDOWS\system32\vgfddwtv\bg1.gif
C:\WINDOWS\system32\vgfddwtv\bgtop.gif
C:\WINDOWS\system32\vgfddwtv\bottom1.gif
C:\WINDOWS\system32\vgfddwtv\essentials.gif
C:\WINDOWS\system32\vgfddwtv\icon1.ico
C:\WINDOWS\system32\vgfddwtv\install1.gif
C:\WINDOWS\system32\vgfddwtv\left1.gif
C:\WINDOWS\system32\vgfddwtv\li.gif
C:\WINDOWS\system32\vgfddwtv\logo.gif
C:\WINDOWS\system32\vgfddwtv\main.htm
C:\WINDOWS\system32\vgfddwtv\mainframe.htm
C:\WINDOWS\system32\vgfddwtv\reinstall1.gif
C:\WINDOWS\system32\vgfddwtv\right1.gif
C:\WINDOWS\system32\vgfddwtv\s1.htm
C:\WINDOWS\system32\vgfddwtv\s2.htm
C:\WINDOWS\system32\vgfddwtv\s3.htm
C:\WINDOWS\system32\vgfddwtv\SMTop1.gif
C:\WINDOWS\system32\vgfddwtv\SMTop2.gif
C:\WINDOWS\system32\vgfddwtv\SMTop3.gif
C:\WINDOWS\system32\vgfddwtv\SMTop4.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off.gif
C:\WINDOWS\system32\vgfddwtv\soft1_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on.gif
C:\WINDOWS\system32\vgfddwtv\soft1_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off.gif
C:\WINDOWS\system32\vgfddwtv\soft2_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on.gif
C:\WINDOWS\system32\vgfddwtv\soft2_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off.gif
C:\WINDOWS\system32\vgfddwtv\soft3_off_ext.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on.gif
C:\WINDOWS\system32\vgfddwtv\soft3_on_ext.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_off.gif
C:\WINDOWS\system32\vgfddwtv\softbottom_on.gif
C:\WINDOWS\system32\vgfddwtv\softleft_off.gif
C:\WINDOWS\system32\vgfddwtv\softleft_on.gif
C:\WINDOWS\system32\vgfddwtv\top1.gif
C:\WINDOWS\system32\vgfddwtv\top2.gif
C:\WINDOWS\system32\vgfddwtv\turnoff1.gif
C:\WINDOWS\system32\vgfddwtv\turnon1.gif
C:\WINDOWS\system32\vgfddwtv\vgfddwtv1.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv2.exe
C:\WINDOWS\system32\vgfddwtv\vgfddwtv3.exe
C:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-07 22:45 . 2007-12-07 22:45 268 --ah----- C:\sqmdata10.sqm
2007-12-07 22:45 . 2007-12-07 22:45 244 --ah----- C:\sqmnoopt10.sqm
2007-12-06 23:23 . 2007-12-07 08:00 <DIR> d-------- C:\Documents and Settings\Cho smells\Application Data\AVG7
2007-12-04 00:35 . 2007-12-07 08:00 <DIR> d-------- C:\Documents and Settings\Linda\Application Data\AVG7
2007-12-03 23:45 . 2007-12-05 20:59 <DIR> d-------- C:\VundoFix Backups
2007-12-03 23:26 . 2007-12-08 08:21 22,751,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-03 23:26 . 2007-12-08 08:18 267,620 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-03 23:21 . 2007-12-03 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-03 23:21 . 2007-12-03 23:23 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-12-03 23:19 . 2007-12-08 08:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-03 23:19 . 2007-12-08 08:19 353,247 --a------ C:\WINDOWS\system32\vsconfig.xml
2007-12-03 23:11 . 2007-12-08 08:20 <DIR> d-------- C:\Documents and Settings\Minh\Application Data\AVG7
2007-12-03 23:11 . 2007-12-03 23:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-03 23:11 . 2007-12-03 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 23:11 . 2007-12-04 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-03 22:51 . 2007-12-03 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-02 15:55 . 2007-12-02 15:55 268 --ah----- C:\sqmdata09.sqm
2007-12-02 15:55 . 2007-12-02 15:55 244 --ah----- C:\sqmnoopt09.sqm
2007-11-26 23:19 . 2007-11-26 23:19 268 --ah----- C:\sqmdata08.sqm
2007-11-26 23:19 . 2007-11-26 23:19 244 --ah----- C:\sqmnoopt08.sqm
2007-11-26 00:39 . 2007-12-03 23:14 <DIR> d-------- C:\Program Files\Llnmhamd
2007-11-24 14:41 . 2007-11-24 14:41 <DIR> d-------- C:\Program Files\Channel4
2007-11-24 14:40 . 2007-11-24 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2007-11-23 19:13 . 2007-11-23 19:13 <DIR> d-------- C:\fsaua.data
2007-11-23 18:57 . 2007-12-03 23:06 <DIR> d-------- C:\Program Files\Kerio
2007-11-23 18:38 . 2007-11-23 18:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 17:55 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\Fajgmuno
2007-11-23 16:54 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\Tfbmszyr
2007-11-23 16:36 . 2007-11-23 16:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-23 16:29 . 2007-11-23 16:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-23 16:29 . 2007-11-23 16:32 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-23 16:29 . 2007-11-23 16:29 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-23 16:29 . 2007-11-23 16:29 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-23 15:26 . 2007-11-23 15:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-23 15:25 . 2007-11-23 15:27 <DIR> d-------- C:\Documents and Settings\Minh\.housecall6.6
2007-11-23 14:55 . 2007-11-23 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 12:15 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\Bfmkepiv
2007-11-23 12:14 . 2007-11-23 12:14 142 --a------ C:\temp2.bat
2007-11-23 12:13 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\Soawjwfq
2007-11-23 12:13 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\elkfytkh
2007-11-23 12:13 . 2007-11-23 12:14 1,149,472 --a------ C:\Install
2007-11-23 02:53 . 2007-11-23 02:54 <DIR> d-------- C:\Program Files\MagicISO
2007-11-18 19:01 . 2007-11-18 19:01 268 --ah----- C:\sqmdata07.sqm
2007-11-18 19:01 . 2007-11-18 19:01 244 --ah----- C:\sqmnoopt07.sqm
2007-11-18 18:40 . 2007-11-18 19:00 <DIR> d-------- C:\Documents and Settings\Cho smells\Application Data\Azureus
2007-11-18 18:24 . 2007-11-18 18:24 <DIR> d-------- C:\Documents and Settings\Cho smells\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 08:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-12-07 22:23 --------- d-----w C:\Documents and Settings\Cho smells\Application Data\Skype
2007-12-03 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 00:16 --------- d-----w C:\Documents and Settings\Minh\Application Data\Azureus
2007-11-24 14:41 --------- d-----w C:\Program Files\Kontiki
2007-11-23 13:23 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-11-23 13:23 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-11-07 19:00 26,360 ----a-w C:\Documents and Settings\Minh\Application Data\GDIPFONTCACHEV1.DAT
2007-11-04 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-04 15:55 --------- d-----w C:\Program Files\Viewpoint
2007-11-04 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-04 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-04 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-04 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-04 15:35 --------- d-----w C:\Program Files\Yahoo!
2007-10-26 22:07 --------- d-----w C:\Program Files\TurnTool
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-20 10:48 --------- d-----w C:\Documents and Settings\Minh\Application Data\Sports Interactive
2007-10-20 10:42 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-20 10:42 --------- d--h--r C:\Documents and Settings\Minh\Application Data\SecuROM
2007-10-20 10:41 --------- d--h--w C:\Program Files\Zero G Registry
2007-10-20 10:39 --------- d-----w C:\Program Files\Sports Interactive
2007-10-17 13:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-10-17 13:08 --------- d-----w C:\Program Files\Last.fm
2007-10-13 15:54 --------- d-----w C:\Program Files\iTunes
2007-10-13 15:54 --------- d-----w C:\Program Files\iPod
2007-10-13 15:50 --------- d-----w C:\Program Files\Apple Software Update
2007-10-09 18:58 --------- d-----w C:\Program Files\Java
2007-09-24 18:38 26,360 ----a-w C:\Documents and Settings\Linda\Application Data\GDIPFONTCACHEV1.DAT
2007-08-23 16:41 47,360 ----a-w C:\Documents and Settings\Minh\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
C:\Program Files\Llnmhamd\hqfeljhx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 22:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OemReset"="C:\WINDOWS\OPTIONS\OEMRESET.exe" []
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 17:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-11 18:56]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 10:06]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 10:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-03 23:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"@"="" []
"elkfytkh"="C:\Program Files\elkfytkh\iporqlsf.dll" []
"cfmpazen"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\cfmpazen.dll" []
"orihuxqv"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\orihuxqv.dll" []
"qpmncdwr"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\qpmncdwr.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-03 23:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 10:23:10]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 16:15:00]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-10-13 19:45:46]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-06-28 08:59:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winccf32]
winccf32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaywv]
yayaywv.dll

S3 ICAM5USB;Intel® PC Camera CS110;C:\WINDOWS\system32\Drivers\Icam5USB.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 07:57:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 08:21:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 8:22:13 - machine was rebooted
.
--- E O F ---




HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:25:23, on 08/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Llnmhamd\hqfeljhx.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1193de1d17f3d2...ip/RdxIE601.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184022492750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184022487250
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - https://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)
O20 - Winlogon Notify: yayaywv - yayaywv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11225 bytes

#12 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 09 December 2007 - 01:22 PM

Hi :thumbsup:.

1. Very Important! Temporarily disable your anti-virus AVG and the Ad-Aware . They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

2. Close any open browsers.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\Bfmkepiv
C:\Program Files\Soawjwfq
C:\Program Files\elkfytkh
C:\Program Files\Llnmhamd
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16975C1E-950B-F58A-B187-08ED8F89A6B0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"elkfytkh"=-
"cfmpazen"=-
"orihuxqv"=-
"qpmncdwr"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winccf32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaywv]


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". Please, post this log along a new Hijackthis log.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users