Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virus Found Lop


  • This topic is locked This topic is locked
52 replies to this topic

#1 Booman

Booman

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 21 January 2008 - 12:34 PM

...i had the LOP before...and the virtumonde....i have a screenshot of the infection

http://i229.photobucket.com/albums/ee189/d...lfman/nolop.jpg
http://i229.photobucket.com/albums/ee189/d...wolfman/lop.jpg

Here is the HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:47 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvduk.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O15 - Trusted Zone: *.issist.ca
O15 - Trusted Zone: *.issist.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: opnmjgf - C:\WINDOWS\SYSTEM32\opnmjgf.dll
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\SYSTEM32\winjyp32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 8273 bytes


here is the HJT uninstall Log

ABBYY FineReader 6.0 Sprint
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.1
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
AVG 7.5
Broadcom 802.11 Wireless LAN Adapter
CA Yahoo! Anti-Spy (remove only)
Conexant AC-Link Audio
Convert
Data Fax SoftModem with SmartCP
DcUpdater 1.23.01
Dexpot 1.4
Empire Earth II
Empire Earth II: The Art of Supremacy
FireTune
Free Video to Mp3 Converter version 2.8
Free YouTube to iPod Converter version 2.8
GIMP 2.4.2
Google Earth
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
HP Help and Support
HP Wireless Assistant 2.00 C1
HyperCam 2
InterVideo DVD Check
InterVideo WinDVD
iTunes
Java™ 6 Update 3
Labtec Legacy USB Camera Driver Package
Lexmark 2300 Series
Lexmark Fax Solutions
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Video Enumerator
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Windows Journal Viewer
Mozilla Firefox (2.0.0.11)
Mozilla Sunbird (0.7)
Mozilla Thunderbird (2.0.0.9)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MVision
NetWaiting
New Folder Here
OpenOffice.org 2.3
PDF Settings
Pivot Stickfigure Animator
Python 2.5.1
Quick Launch Buttons 5.10 B5
QuickTime
Revo Uninstaller 1.42
Screenshot Captor 2.37.03
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Spelling Dictionaries Support For Adobe Reader 8
Spyware Doctor 5.1
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
Texas Instruments PCIxx21/x515/xx12 drivers.
Tweak UI
Uniblue RegistryBooster 2
Uniblue SpeedUpMyPC 3
Uniblue SpyEraser
Uninstall 1.0.0.0
Unlocker 1.8.5
Update for Outlook 2007 Junk Email Filter (kb943597)
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB942763)
User Profile Hive Cleanup Service
Weather Pulse 2.05 build 36
Windows Backup Utility
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip 11.1
Yahoo! Messenger
Yahoo! Toolbar

Edited by Booman, 21 January 2008 - 12:41 PM.


BC AdBot (Login to Remove)

 


m

#2 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 21 January 2008 - 03:16 PM

I just got SUPERantispy free and it found something...and then i rebooted and i got a Blue screen of death and the pc rebooted...then i went on my main account and UNABLE TO LOAD this file..i have screenshots...ans i got attacked with this outerinfo and many trojans...AND I UNINSTALLED IT BEFORE and IDK how it came back....i have screen shots...

http://i229.photobucket.com/albums/ee189/d...s/outerinfo.jpg
http://i229.photobucket.com/albums/ee189/d...rors/ohcrap.jpg
http://i229.photobucket.com/albums/ee189/d...s/OMGHELLPP.jpg
http://i229.photobucket.com/albums/ee189/d...ors/viruses.jpg

here is the SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2008 at 02:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Quick Scan
Total Scan Time : 01:11:20

Memory items scanned : 513
Memory threats detected : 1
Registry items scanned : 911
Registry threats detected : 14
File items scanned : 11220
File threats detected : 6

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\OPNMJGF.DLL
C:\WINDOWS\SYSTEM32\OPNMJGF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}
HKCR\CLSID\{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}
HKCR\CLSID\{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}\InprocServer32
HKCR\CLSID\{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\opnmjgf

Adware.Tracking Cookie
C:\Documents and Settings\Jeff Crooks\Cookies\jeff_crooks@ad.outerinfoads[1].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#OCCUR

Adware.OuterInfo-Installer
C:\DOCUMENTS AND SETTINGS\JEFF CROOKS\LOCAL SETTINGS\TEMP\WINC.EXE

Trojan.Unclassified/DRV-Slice
C:\WINDOWS\SYSTEM32\DRVDUK.DLL

Malware.WinAntiSpyware-Installer
C:\WINDOWS\SYSTEM32\DRVDUKR.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\VTSTS.DLL

#3 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 21 January 2008 - 03:52 PM

i am running vundo fix right now...and spyware doctor found VIRTUMONDE...what a suprise

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:10 PM

Posted 05 February 2008 - 05:34 AM

Hi Booman, :thumbsup:

If you still need help please post a new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide for use before posting a HijackThis Log , and I'll be happy to look at it for you.

Thanks for your patience. :blink:

#5 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 08 February 2008 - 07:20 PM

yeahh....um i kinda fixed the first issue....and yeah...i did a HTJ scan and i found the vundo...and some other thingies...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:00 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Jeff\Desktop\VundoFix.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchgateway.net/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search-Google...D%3A11&q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: PrxPrx - {aa6e7caa-58e7-4317-98cb-7dfb4680083d} - C:\WINDOWS\Installer\{aa6e7caa-58e7-4317-98cb-7dfb4680083d}\PrxPrx.dll
O21 - SSODL: zip - {55b650d9-3c6d-436d-bb62-7b50a7a5b487} - C:\WINDOWS\Installer\{55b650d9-3c6d-436d-bb62-7b50a7a5b487}\zip.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6425 bytes



um please dont make me do an online virus scan...a web page opened with a scan for virus thingy and AVAST! found a trojan from it donwloading..i did not even have Firefox opened....i blocked the website and i am running VUNDOFIX right now...but the other issues i need help with please

#6 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 08 February 2008 - 10:22 PM

omg....vundofix found 6 vundos....-sighs- what else is new LOL....sorry for the delay in my replies...i have been having issues with the stupid infections....i recently wiped my pc but i had a BSOD and the work i tried to wipe along with the pc was transfered...oh well its gone now..um do u want the link to the one website that downloads a trojan automatically without clicking on anything?

#7 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 09 February 2008 - 12:23 AM

ok i removed the vundo with vundofix and did a scan with SuperAntispy....then when i rebooted Avast kept on annoying me with this trojan thing it cannot remove.....i have a video of it on Youtube...and i have the VF Log and the SAS Log and some more data on this uncureable trojan.....


here is the info on the trojan from the log on AVAST
Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 10 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp
FileID: 0000000031 Original file name: C:\WINDOWS\system32\kernel32.dll New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\31.dll
FileID: 0000000034 Original file name: C:\Program Files\tmp176609.exe New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\34.exe
FileID: 0000000036 Original file name: C:\Program Files\tmp176625.exe New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\36.exe
FileID: 0000000035 Original file name: C:\Program Files\tmp176656.exe New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\35.exe
FileID: 0000000037 Original file name: C:\Program Files\tmp176687.exe New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\37.exe
FileID: 0000000038 Original file name: C:\Program Files\tmp176734.exe New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\38.exe
FileID: 0000000039 Original file name: C:\Program Files\tmp176765.exe New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\39.exe
FileID: 0000000040 Original file name: C:\Program Files\tmp176796.exe New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\40.exe
FileID: 0000000032 Original file name: C:\WINDOWS\system32\winsock.dll New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\32.dll
FileID: 0000000033 Original file name: C:\WINDOWS\system32\wsock32.dll New folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\33.dll

Scan files in the temporary folder: C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\31.dll -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\32.dll -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\33.dll -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\34.exe\[PECompact] Win32:Small-FHL [Trj]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\34.exe -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\35.exe\[PECompact] Win32:Small-FHL [Trj]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\35.exe -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\36.exe\[PECompact] Win32:Small-FHL [Trj]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\36.exe -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\37.exe\[PECompact] Win32:Small-FHL [Trj]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\37.exe -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\38.exe\[PECompact] Win32:Small-FHL [Trj]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\38.exe -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\39.exe\[PECompact] Win32:Small-FHL [Trj]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\39.exe -- no virus --
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\40.exe\[PECompact] Win32:Small-FHL [Trj]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\_avast4_\unp85055346.tmp\40.exe -- no virus --
------------------------------------------------------------------------------------------
Action was completed successfully!

here is the VF Log


VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 7:04:54 PM 2/3/2008

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.8

Checking Java version...

Sun Java not detected
Scan started at 6:53:44 PM 2/8/2008

Listing files found while scanning....

C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2
C:\WINDOWS\system32\qomjihe.dll
C:\WINDOWS\system32\winoux32.dll
C:\WINDOWS\system32\xxywxwt.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Could not be deleted.

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomjihe.dll
C:\WINDOWS\system32\qomjihe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winoux32.dll
C:\WINDOWS\system32\winoux32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywxwt.dll
C:\WINDOWS\system32\xxywxwt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

here is the SAS Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/08/2008 at 11:10 PM

Application Version : 3.9.1008

Core Rules Database Version : 3398
Trace Rules Database Version: 1390

Scan type : Complete Scan
Total Scan Time : 04:18:32

Memory items scanned : 430
Memory threats detected : 3
Registry items scanned : 5732
Registry threats detected : 11
File items scanned : 61377
File threats detected : 13

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\XXYWXWT.DLL
C:\WINDOWS\SYSTEM32\XXYWXWT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E0EA1F31-B58F-47E8-A185-20C52DF9F168}
HKCR\CLSID\{E0EA1F31-B58F-47E8-A185-20C52DF9F168}
HKCR\CLSID\{E0EA1F31-B58F-47E8-A185-20C52DF9F168}\InprocServer32
HKCR\CLSID\{E0EA1F31-B58F-47E8-A185-20C52DF9F168}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\xxywxwt

Adware.Vundo-Variant/PolyMorph-A
C:\WINDOWS\SYSTEM32\QOMJIHE.DLL
C:\WINDOWS\SYSTEM32\QOMJIHE.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\AWTSP.DLL
C:\WINDOWS\SYSTEM32\AWTSP.DLL
HKLM\Software\Classes\CLSID\{9A65FAE0-BFC6-4E19-A3A1-5AF5E73F8DD1}
HKCR\CLSID\{9A65FAE0-BFC6-4E19-A3A1-5AF5E73F8DD1}
HKCR\CLSID\{9A65FAE0-BFC6-4E19-A3A1-5AF5E73F8DD1}\InprocServer32
HKCR\CLSID\{9A65FAE0-BFC6-4E19-A3A1-5AF5E73F8DD1}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A65FAE0-BFC6-4E19-A3A1-5AF5E73F8DD1}

Trojan.WinUpdate
[run] C:\WINDOWS\SYSTEM32\WINUPDATE.EXE
C:\WINDOWS\SYSTEM32\WINUPDATE.EXE

Spyware.Melkosoft (CoolWebSearch Variant)
C:\WINDOWS\INSTALLER\{06BE2E47-7B80-472F-969D-2D5C0BEACCF1}\ZIP.DLL
C:\WINDOWS\INSTALLER\{2AB04F09-880F-439B-AD57-7601B9E2D80C}\ZIP.DLL
C:\WINDOWS\INSTALLER\{4C4E8CAC-5D04-4F3E-ACC7-D75E3C3F8114}\ZIP.DLL
C:\WINDOWS\INSTALLER\{55B650D9-3C6D-436D-BB62-7B50A7A5B487}\ZIP.DLL
C:\WINDOWS\INSTALLER\{5EC286B1-B96D-49E8-8336-76E2D5C73118}\ZIP.DLL
C:\WINDOWS\INSTALLER\{6CDF6985-0325-4B35-8192-5D2CB119E6AA}\ZIP.DLL
C:\WINDOWS\INSTALLER\{98F5889E-F0A0-453F-8A17-C5B6533BC6A9}\ZIP.DLL
C:\WINDOWS\INSTALLER\{BF225020-CD4C-4585-9A90-7A20A1526A3A}\ZIP.DLL
C:\WINDOWS\INSTALLER\{F6DC24F4-A445-4AEB-9F08-E6CFE666D738}\ZIP.DLL

also when i booted up the pc i had something similar to windows firewall popup but in IE....below is the video i made of this error..i scheduled a boot time scan too



#8 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 09 February 2008 - 11:03 AM

i am still having popups....the boot time schedule removed the trojan....i have pics of the popups if they help they are in order

http://i229.photobucket.com/albums/ee189/d...rrors/popup.gif
http://i229.photobucket.com/albums/ee189/d...rors/popup2.gif
http://i229.photobucket.com/albums/ee189/d...rors/popup3.gif

#9 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 09 February 2008 - 09:37 PM

i rebooted and AVAST was bugging me and i have pics of the spyware in IE thing and i found some files that avast could not remove

http://i229.photobucket.com/albums/ee189/d...wolfman/OMG.gif
http://i229.photobucket.com/albums/ee189/d..._wolfman/no.gif
http://i229.photobucket.com/albums/ee189/d...fman/hmmmmm.gif

#10 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 09 February 2008 - 09:48 PM

i scanned the 3 files in my pictures and here are the reports

http://www.virustotal.com/analisis/262aae2...354196fdaa2b5ab
http://www.virustotal.com/analisis/262aae2...354196fdaa2b5ab
http://www.virustotal.com/analisis/84d9497...ac9ba46359d115c

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:10 PM

Posted 10 February 2008 - 04:21 PM

Hi Booman, :thumbsup:

I suggest we stick to this thread from now on, right?!! :blink:

1. Are you using a firewall? I see nothing in your log that would indicate that you have. I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Comodo Firewall Pro
Online Armor Free edition
Kerio

For a tutorial on Firewalls click: Understanding and Using Firewalls!

2. Please follow instructions for downloading and running ComboFix in: How to use ComboFix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#12 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 10 February 2008 - 09:42 PM

u never got me a link to donwload it but i got it from majorgeeks.com where i get most of my stuff from...which firewall is better between the 3? I HATE COMODO! i tried it and its blocks my programs :thumbsup:...combofix deleted something sofar....log is coming soon

#13 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 10 February 2008 - 09:56 PM

what is viewpoint media player? i heard its bad....i got this thing called viewpointkiller AND it removed it...here it the log

ComboFix 08-02.05.3 - Jeff 2008-02-10 21:34:53.1 - NTFSx86
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Log\2008 Feb 09 - 10_26_27 PM_812.log
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Log\2008 Feb 09 - 10_26_32 PM_187.log
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\rs.dat
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Settings\CustomScan.stg
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Settings\IgnoreList.stg
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Settings\ScanInfo.stg
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Settings\ScanResults.stg
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Settings\SelectedFolders.stg
C:\Documents and Settings\Jeff\Application Data\AntiSpywareBot\Settings\Settings.stg
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-10 16:47 . 2008-02-10 21:26 <DIR> d-------- C:\Program Files\Google
2008-02-10 15:51 . 2008-02-10 15:51 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-02-10 15:08 . 2008-02-10 15:08 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\acccore
2008-02-10 15:07 . 2008-02-10 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-10 15:07 . 2008-02-10 15:07 21 --a------ C:\WINDOWS\atid.ini
2008-02-10 15:01 . 2008-02-10 15:01 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-02-10 15:01 . 2008-02-10 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-10 15:01 . 2008-02-10 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-02-10 15:00 . 2008-02-10 15:07 <DIR> d-------- C:\Program Files\AIM6
2008-02-10 15:00 . 2008-02-10 15:07 953 --ah----- C:\IPH.PH
2008-02-10 10:28 . 2008-02-10 10:28 <DIR> d-------- C:\WINDOWS\Sun
2008-02-10 10:28 . 2008-02-10 10:28 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-02-10 00:26 . 2008-02-10 10:14 <DIR> d-------- C:\Program Files\Crawler
2008-02-10 00:10 . 2008-02-10 21:44 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-02-09 23:41 . 2008-02-09 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 23:34 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-02-09 23:33 . 2008-02-09 23:33 <DIR> d-------- C:\Program Files\Comodo
2008-02-09 23:33 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-02-09 23:33 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-02-09 23:07 . 2008-02-10 12:41 <DIR> d-------- C:\Program Files\Weather Pulse
2008-02-09 22:34 . 2008-02-10 00:03 3,284 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-09 15:34 . 2008-02-09 15:34 <DIR> d-------- C:\Documents and Settings\Jeff\Incomplete
2008-02-09 15:34 . 2008-02-09 16:05 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\FrostWire
2008-02-09 14:47 . 2008-02-09 14:47 <DIR> d-------- C:\DVDVideoSoft
2008-02-09 14:47 . 2008-02-09 15:31 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\LimeWire
2008-02-09 14:46 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-09 14:42 . 2008-02-09 14:46 <DIR> d-------- C:\Program Files\Java
2008-02-09 14:41 . 2008-02-09 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-09 12:01 . 2008-02-09 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3 XPack Trial
2008-02-08 19:37 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-08 19:37 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-08 19:37 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-08 19:37 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-08 19:37 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-08 19:37 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-08 19:37 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-08 18:48 . 2008-02-08 18:48 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\SUPERAntiSpyware.com
2008-02-08 18:46 . 2008-02-08 18:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 06:53 . 2008-02-09 23:07 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Weather Pulse
2008-02-07 23:15 . 2008-02-07 23:15 <DIR> d-------- C:\Program Files\Audacity
2008-02-06 17:58 . 2008-02-06 17:58 <DIR> d-------- C:\WINDOWS\Speeditup Free
2008-02-04 23:32 . 2007-05-27 04:17 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-02-04 23:28 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-02-04 23:24 . 2008-02-04 23:24 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-04 23:19 . 2008-02-04 23:19 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-04 23:15 . 2008-02-04 23:15 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-02-04 23:12 . 2008-02-04 23:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-04 23:07 . 2008-02-04 23:07 <DIR> dr-h----- C:\MSOCache
2008-02-04 19:38 . 2008-02-04 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-03 19:57 . 2008-02-03 19:59 <DIR> d-------- C:\Temp
2008-02-03 19:53 . 2008-02-10 15:51 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-02-03 19:53 . 2002-01-05 14:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-02-03 19:04 . 2008-02-08 23:27 <DIR> d-------- C:\VundoFix Backups
2008-02-03 16:37 . 2008-02-03 17:02 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Download Manager
2008-02-03 14:39 . 2008-02-03 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-03 14:34 . 2008-02-03 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 14:33 . 2008-02-10 01:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 14:00 . 2008-02-03 14:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-03 13:59 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-02-03 13:12 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-02-03 13:12 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-02-03 13:12 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-02-03 13:12 . 2004-02-05 20:53 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-02-03 13:12 . 2004-01-09 10:54 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx
2008-02-03 13:12 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-02-03 13:12 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-02-03 13:12 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-02-03 13:12 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-02-03 13:10 . 2008-02-03 13:10 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-03 12:45 . 2008-02-03 12:45 <DIR> d-------- C:\Program Files\VS Revo Group
2008-02-03 12:39 . 2008-02-03 12:39 409 --a------ C:\log.udt
2008-02-03 11:40 . 2008-02-03 11:40 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Talkback
2008-02-02 17:44 . 2008-02-02 17:44 <DIR> d-------- C:\Program Files\Unlocker
2008-02-02 17:42 . 2008-02-02 17:42 <DIR> d-------- C:\Documents and Settings\Jeff\.gimp-2.4
2008-02-02 12:55 . 2008-02-09 14:40 <DIR> d-------- C:\Program Files\Microsoft Games
2008-02-02 10:39 . 2008-02-02 10:39 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-02 10:39 . 2008-02-02 10:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-02 00:12 . 2008-02-02 00:12 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\TeleFlow
2008-02-02 00:10 . 2008-02-02 00:14 28 --a------ C:\WINDOWS\ODBC.INI
2008-02-02 00:09 . 2008-02-02 00:16 <DIR> d-------- C:\Program Files\TeleFlow
2008-02-02 00:00 . 2008-02-09 21:33 <DIR> d-------- C:\Program Files\DonationCoder
2008-02-02 00:00 . 2008-02-02 00:00 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\DonationCoder
2008-02-02 00:00 . 2008-02-02 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DonationCoder
2008-02-02 00:00 . 2008-02-02 00:00 58 --a------ C:\WINDOWS\system32\DonationCoder_ScreenshotCaptor_InstallInfo.dat
2008-02-01 23:53 . 2008-02-01 23:53 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-01 23:53 . 2008-02-01 23:55 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-01 23:52 . 2008-02-01 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-01 23:51 . 2008-02-01 23:51 <DIR> d-------- C:\WINDOWS\cache
2008-02-01 23:44 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-02-01 23:44 . 2004-08-04 00:56 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-02-01 23:44 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-02-01 23:44 . 2004-08-04 00:56 61,952 --a--c--- C:\WINDOWS\system32\dllcache\kstvtune.ax
2008-02-01 23:44 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-02-01 23:44 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-02-01 23:44 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-02-01 23:44 . 2004-08-04 00:56 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2008-02-01 23:44 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-02-01 23:44 . 2004-08-04 00:56 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2008-02-01 23:38 . 2008-02-01 23:38 <DIR> d-------- C:\Program Files\Common Files\Labtec
2008-02-01 23:38 . 2007-03-06 17:48 1,273,504 --a------ C:\WINDOWS\system32\drivers\LV302V32.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 20:26 1,612 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Pavilion ze2000 (EC201UA#ABA)_YN_0Pavi_QCNF547041B_EU_46_I3096_SQuanta_V47.10_BF.27_T060830_WXH2_L409_M383_J60_7AMD_8Sempron_91.79_#080201_N10EC8139_(EC201UA#ABA)_XMOBILE_CN10_Z10024378_2Rev 1.MRK
2008-02-01 19:49 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3937C755-FCAD-456C-A65D-CBD77B309933}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D13895DF-6823-4F64-8BC4-5F9836F0BDAD}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 21:05 344064]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 12:11 692316]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-08 16:38 159744]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24 290816]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 12:12 102492]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45 507904]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00 158208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-03-06 17:48 488984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-03-06 17:58 1060376 C:\Program Files\Labtec\WebCam10\WebCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather Pulse]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"odserv"=3 (0x3)
"ose"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"NMSAccessU"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"sp_rssrv"=2 (0x2)
"sp_clamsrv"=3 (0x3)

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-23 07:06]
S4 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 08:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 02:20:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 00:39:11 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-02 00:39:07 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-02 00:45:00 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 21:46:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2008-02-10 21:50:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 02:49:57
.
2008-02-06 02:47:35 --- E O F ---

#14 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:10 PM

Posted 11 February 2008 - 05:20 AM

Hi Booman, :thumbsup:

Please post a fresh HijackThis log as well! :blink:

#15 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 11 February 2008 - 06:56 PM

hey falu can u give all the steps in one post which saves more time? im not trying to be a snob or anything....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:55, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3937C755-FCAD-456C-A65D-CBD77B309933} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D13895DF-6823-4F64-8BC4-5F9836F0BDAD} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: PrxPrx - {aa6e7caa-58e7-4317-98cb-7dfb4680083d} - (no file)
O21 - SSODL: zip - {357f4f29-5e8a-4fac-9e1d-6c83cd112615} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7600 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users