Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iehijack Virtumonde, Hijack This Log Included As A Bonus!


  • This topic is locked This topic is locked
22 replies to this topic

#1 Budwhite501

Budwhite501

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 08 February 2008 - 10:17 PM

Hey, ive been persecuted by the virtumonde infection. Have run dozens of programmes to rid the cpu of it. Now using opera web browser as im terrified of opening up internet explorer and going back to a near unworkable state. System appears healthy, can only find one suspicious file in the hijack this log (but i am in no way an expert) which is still in the windows/system32 folder. Would like to get rid of it but dont want to corrupt the system. Also have Deckart system scans if these are needed. Am only currently running spybot teatimer as protection as anything else slows the system down too much. Please experts read the log and help me be rid of it once and for all its driving me insane!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:05:37, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1bf77bb7-00d9-4e48-a724-d92f725264a5} - C:\WINDOWS\system32\afcoeaow.dll (file missing)
O2 - BHO: (no name) - {2D54C0DB-47E3-448E-8D16-34464CE5208D} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D17C2B5-2706-0BFA-0611-5300B6C781EA} - C:\WINDOWS\system32\flpy.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BD97F639-63A3-447A-A3D2-4CC082B69FCB} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {C11B357D-AB6C-4C67-8033-869D1FFC9E8B} - (no file)
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\qomklkj.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\twatdog.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\PUMPKI~1\MYDOCU~1\ECURIT~1\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ksxmz] "C:\Documents and Settings\pumpkin pie\My Documents\W?nSxS\r?gsvr32.exe"
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: English<->Italian - C:\Program Files\LingvoSoft\LingvoSoft Dictionary 2007 (English-Italian) for Windows\Plugins\IE.htm
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: English<->Italian - {9FF0EF33-D68F-8B4C-8D11-EBA84CF575CF} - C:\Program Files\LingvoSoft\LingvoSoft Dictionary 2007 (English-Italian) for Windows\Plugins\IE.htm
O9 - Extra 'Tools' menuitem: English<->Italian - {9FF0EF33-D68F-8B4C-8D11-EBA84CF575CF} - C:\Program Files\LingvoSoft\LingvoSoft Dictionary 2007 (English-Italian) for Windows\Plugins\IE.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: vspekwjh - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7606 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 08 February 2008 - 11:25 PM

Hello Budwhite501,

Welcome to Bleeping Computer :thumbsup: We must end this persecution!!! End it NOW!!!!Posted Image

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Can you run in normal mode? If so, please post a new HijackThis log made from normal mode. I can't see everything when it's made in safe mode.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 February 2008 - 09:27 AM

Hi again, thanks for getting back so quick. Combofix doesnt appear to be working for me. A blue window appears and then repeats itself a couple of times at lower intervals on the screen and then remains there with an underscore blinking but no instructions. SHould I try and install it again?

#4 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 February 2008 - 09:57 AM

Update, tried deleting combofix and downloading it again. First time I loaded it without touching the trackpad or keyboard, it said something very quickly but i think it was something along the lines of 'hijack file not found'. The second time it tells me that I 'cannot rename combofix as combofix'.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 09 February 2008 - 10:12 AM

Hello,

Delete that one then, and try this version :

http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 February 2008 - 04:02 PM

Ach, still no luck. I tried deleting and then downloading each of the links and running it. I just tried again and i get the blue window again with a blinking underscore. I waited for 5 minutes but it doesnt do anything. Sorry what shall i do now?

#7 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 February 2008 - 04:42 PM

update: One of the combofix files I downloaded told me that C:\Windows\System32\kmd.exe could not be found when i ran it. Don't know if this is any help

Edited by Budwhite501, 09 February 2008 - 04:45 PM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 09 February 2008 - 05:30 PM

Hello,

This is nasty stuff. :blink: All right....more than one way to do this, so we'll just chip away at it. :thumbsup: Please delete ComboFix, and the folder Qoobox, if it's there.

Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:


O2 - BHO: (no name) - {1bf77bb7-00d9-4e48-a724-d92f725264a5} - C:\WINDOWS\system32\afcoeaow.dll (file missing)
O2 - BHO: (no name) - {2D54C0DB-47E3-448E-8D16-34464CE5208D} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {6D17C2B5-2706-0BFA-0611-5300B6C781EA} - C:\WINDOWS\system32\flpy.dll
O2 - BHO: (no name) - {BD97F639-63A3-447A-A3D2-4CC082B69FCB} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {C11B357D-AB6C-4C67-8033-869D1FFC9E8B} - (no file)
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\qomklkj.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\PUMPKI~1\MYDOCU~1\ECURIT~1\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Ksxmz] "C:\Documents and Settings\pumpkin pie\My Documents\W?nSxS\r?gsvr32.exe"
O20 - Winlogon Notify: vspekwjh - C:\WINDOWS\


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 09 February 2008 - 08:50 PM

Hey, have now run hijackthis, fixed checked problems indicated (except for the r?g32.exe file in the winsys folder which still exists but wasnt present in the hijackthis scan) and then run avg antispyware, both in safe mode. I hope this is ok. Have included the avg antispyware report and new hijack this log. Im getting a strange message from my resident tea-timer at the moment upon normal startup, something like this

Category: Session manager
Change: Value changed

Entry: BootExecute

Old data: autocheck autochk*

New data: autocheck autochk *\??III?IA???II?Itrue

THe I's in the last bit look more like blocks. Ive been denying this as it looks suspicious

Thanks

Oh, and the avg antispyware report isnt showing much, but I ran it just after being infected and before posting here. I have that report handy if needed, it lists a lot more infections - trojans etc. Since then i have quarantined and removed them, before the first post i made on these boards.

Attached Files


Edited by Budwhite501, 10 February 2008 - 06:15 PM.


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 11 February 2008 - 03:26 PM

Hello,

Hope you had a great weekend. :blink: Everything you did was fine.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {1bf77bb7-00d9-4e48-a724-d92f725264a5} - (no file)
O2 - BHO: (no name) - {2D54C0DB-47E3-448E-8D16-34464CE5208D} - (no file)
O2 - BHO: (no name) - {6D17C2B5-2706-0BFA-0611-5300B6C781EA} - (no file)
O2 - BHO: (no name) - {BD97F639-63A3-447A-A3D2-4CC082B69FCB} - (no file)
O2 - BHO: (no name) - {C11B357D-AB6C-4C67-8033-869D1FFC9E8B} - (no file)
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - (no file)
O20 - Winlogon Notify: vspekwjh - C:\WINDOWS\


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Now please try to download ComboFix again. This time leave your Tea Timer off when you run it. It tends to interfere. If you get it to run, please post the report along with a new HijackThis log and let me know how it's running now. :thumbsup:

Thanks,
tea

Edited by teacup61, 11 February 2008 - 03:27 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 11 February 2008 - 06:24 PM

Hi, yeah had good weekend thanks hope yours was good too. Combofix is now running after i turned off teatimer and some other resident shields i didnt realise were running. Machine is definitely healthier at the moment but those files you told me to fix in hijackthis keep on returning for some reason. Here are latest combofix and Hijackthis logs attached:

Update: MAchine is definitely healthier, loading time for most applications has been cut seemingly almost in half. Note, I was trying to stop adobe photoshop downloader appearing in the system tray on startup so attempted to run regedit from the run command box, I was given an error message that the application failed to initialise properly, this was also an error message i received repeatedly while running combofix.

Attached Files


Edited by Budwhite501, 11 February 2008 - 06:41 PM.


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 12 February 2008 - 12:01 AM

Hello,

Now that was wrong. I'm glad it's running better, but you did it wrong that time. Let's do this again, please. :blink:

I want you to disconnect from the internet completely, then disable all your resident protections again. Start ComboFix, then walk away from the computer. Seriously, just walk away from it until it's done. It can't do what it needs to do with you running all sorts of programs during the scan and removal process. Then try the HijackThis directions again, please. Post the reports on your reply.

How is it running now? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 12 February 2008 - 11:12 AM

Hi, sorry about that. when combofix was running the first time, i didnt run any other programmes. But it had to reboot and when it rebooted, the tea timer and ad aware service booted upon restart, so I just turned them off while it was running, and clicked ok on a couple of error messages. This time I just did as you said, walked away until it had finished. There was no reboot this time. Also the fixed errors in hijackthis did not return after startup. Here are the included logs, thanks again for this btw.

Attached Files



#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 12 February 2008 - 06:03 PM

Hello,

Good....thank you. :blink:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
C:\WINDOWS\SYSTEM32\pcu1
C:\WINDOWS\SYSTEM32\mec8
C:\WINDOWS\SYSTEM32\drz2
C:\Temp
C:\Documents and Settings\pumpkin pie\My Documents\W?nSxS

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1bf77bb7-00d9-4e48-a724-d92f725264a5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D54C0DB-47E3-448E-8D16-34464CE5208D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D17C2B5-2706-0BFA-0611-5300B6C781EA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD97F639-63A3-447A-A3D2-4CC082B69FCB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C11B357D-AB6C-4C67-8033-869D1FFC9E8B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vspekwjh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\38c87cf1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ksxmz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

File::
C:\WINDOWS\system32\ulqvhirm.dll
C:\WINDOWS\mrofinu572.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now?:thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Budwhite501

Budwhite501
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 13 February 2008 - 07:54 AM

Hi, system is running very well. Seems much quicker than even before the virtumonde infection, mustve had another infection before that.

ComboFix 08-02-13.2 - pumpkin pie 2008-02-14 12:29:47.4 - NTFSx86
Running from: C:\Documents and Settings\pumpkin pie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\pumpkin pie\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\ulqvhirm.dll
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\WINDOWS\SYSTEM32\drz2
C:\WINDOWS\SYSTEM32\mec8
C:\WINDOWS\SYSTEM32\pcu1
C:\WINDOWS\SYSTEM32\pcu1\rabs2135.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-09 20:57 . 2008-02-09 20:57 <DIR> d-------- C:\Combo-Fix
2008-02-09 19:08 . 2008-02-09 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 20:09 . 2008-02-07 20:09 <DIR> d-------- C:\Deckard
2008-02-07 19:53 . 2008-02-07 19:50 8,576 --------- C:\WINDOWS\SYSTEM32\DRIVERS\qqrnmddscofc.sys
2008-02-07 18:21 . 2008-02-07 18:35 1,472 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-02-07 18:19 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-02-07 18:19 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-02-07 18:19 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-02-07 18:19 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-02-07 18:19 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-02-07 18:19 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-02-07 18:13 . 2008-02-07 18:13 <DIR> d-------- C:\Documents and Settings\pumpkin pie\Application Data\Comodo
2008-02-07 18:13 . 2008-02-07 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-07 18:13 . 2008-02-07 18:12 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll.vir
2008-02-07 18:13 . 2008-02-07 18:12 83,064 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdGuard.sys
2008-02-07 18:13 . 2008-02-07 18:12 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-02-07 18:12 . 2008-02-07 18:12 <DIR> d-------- C:\Program Files\COMODO
2008-02-07 17:52 . 2008-02-07 17:52 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-07 17:52 . 2008-02-07 17:52 <DIR> d-------- C:\Program Files\CCleaner
2008-02-07 17:45 . 2008-02-07 17:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-07 17:45 . 2008-02-07 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 16:29 . 2008-02-07 16:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 02:59 . 2008-02-07 21:57 <DIR> d-------- C:\VundoFix Backups
2008-02-07 01:57 . 2008-02-07 01:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-07 01:20 . 2008-02-07 01:20 <DIR> d-------- C:\Documents and Settings\pumpkin pie\Application Data\Grisoft
2008-02-07 01:08 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-02-07 00:49 . 2008-02-07 00:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 00:18 . 2008-02-12 23:26 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-06 18:49 . 2008-02-07 21:57 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-06 18:26 . 2008-02-06 18:30 <DIR> d-------- C:\Program Files\Security Task Manager
2008-02-04 08:53 . 2008-02-04 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-04 08:52 . 2008-02-04 08:52 <DIR> d-------- C:\Program Files\DiskAnalyzer20
2008-02-04 08:52 . 1997-05-12 02:10 97,280 --a------ C:\WINDOWS\SYSTEM32\ZIPDLL.DLL
2008-02-04 08:52 . 1997-05-12 02:10 89,088 --a------ C:\WINDOWS\SYSTEM32\UNZDLL.DLL
2008-02-04 08:33 . 2008-02-05 17:25 <DIR> d-------- C:\Program Files\R-Wipe&Clean
2008-02-03 22:19 . 2008-02-03 22:20 <DIR> d-------- C:\Program Files\Shred Agent
2008-02-03 03:54 . 2008-02-03 03:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-03 03:54 . 2008-02-03 03:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-30 00:19 . 2008-01-30 00:25 <DIR> d-------- C:\Program Files\Neuro-Programmer 2
2008-01-22 23:45 . 2008-01-22 23:45 <DIR> d-------- C:\Documents and Settings\pumpkin pie\Application Data\AdobeUM
2008-01-16 20:09 . 2008-01-16 20:09 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-01-16 20:09 . 2008-01-16 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-01-15 20:51 . 2008-01-15 20:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:45 --------- d-----w C:\Documents and Settings\pumpkin pie\Application Data\AVG7
2008-02-07 18:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 02:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 01:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 00:08 --------- d-----w C:\Program Files\Opera
2008-02-06 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-06 00:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 00:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-05 04:31 --------- d-----w C:\Documents and Settings\pumpkin pie\Application Data\R-Wipe&Clean
2008-01-15 23:27 --------- d-----w C:\Program Files\VideoLAN
2008-01-15 23:26 --------- d-----w C:\Program Files\LimeWire
2008-01-15 23:26 --------- d-----w C:\Program Files\Boots F2CD
2008-01-15 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-01-15 20:58 --------- d-----w C:\Program Files\Microsoft Works
2008-01-15 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-15 20:50 --------- d-----w C:\Documents and Settings\pumpkin pie\Application Data\GlarySoft
2006-08-18 15:28 278,528 -c--a-w C:\Program Files\Common Files\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 12:33 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegServer"="regserve.exe" [2004-07-30 17:49 28672 C:\WINDOWS\SYSTEM32\RegServe.exe]
"XGIWatchDog"="C:\Program Files\XGI\twatdog.exe" [2004-07-30 17:50 77824]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:00 158208]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-07 00:45 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
backup=C:\WINDOWS\pss\broadband medic.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 09:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\38c87cf1]
C:\WINDOWS\system32\ulqvhirm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-02-07 00:45 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
--a------ 2008-02-07 18:12 5046016 C:\Program Files\COMODO\Firewall\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-03-04 19:59 487424 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 00:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drmupgds]
C:\Program Files\Drmupgds\Drmupgds.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 10:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 05:42 401491 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEraseTraces]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ksxmz]
C:\Documents and Settings\pumpkin pie\My Documents\W?nSxS\r?gsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\PROGRA~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-10-18 12:23 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 03:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trirot]
--a------ 2004-07-30 17:50 65536 C:\WINDOWS\SYSTEM32\Trirot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-07 18:12]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-07 18:12]
R3 Xgiv3;Xgiv3;C:\WINDOWS\system32\DRIVERS\Xgiv3m.sys [2004-07-30 15:11]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 11:14]
S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys [2004-01-19 15:27]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2004-07-30 11:02]
S3 WipeFile;WipeFile;C:\WINDOWS\system32\DRIVERS\WipeFile.sys [2007-03-03 19:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 13:49:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-10-22 13:04:45 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
"2008-02-14 12:32:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 12:33:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-02-14 12:35:10
ComboFix-quarantined-files.txt 2008-02-14 12:35:05
ComboFix2.txt 2008-02-13 15:52:04
ComboFix3.txt 2008-02-13 15:39:29
ComboFix4.txt 2008-02-12 22:51:46
.
2008-01-09 19:54:43 --- E O F ---


Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:35, on 14/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\XGI\twatdog.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\twatdog.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: English<->Italian - C:\Program Files\LingvoSoft\LingvoSoft Dictionary 2007 (English-Italian) for Windows\Plugins\IE.htm
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: English<->Italian - {9FF0EF33-D68F-8B4C-8D11-EBA84CF575CF} - C:\Program Files\LingvoSoft\LingvoSoft Dictionary 2007 (English-Italian) for Windows\Plugins\IE.htm
O9 - Extra 'Tools' menuitem: English<->Italian - {9FF0EF33-D68F-8B4C-8D11-EBA84CF575CF} - C:\Program Files\LingvoSoft\LingvoSoft Dictionary 2007 (English-Italian) for Windows\Plugins\IE.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6951 bytes


Edited by Budwhite501, 13 February 2008 - 07:55 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users