Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Vundo Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 cooki2222

cooki2222

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 01 March 2008 - 06:05 PM

Hi there, ive tried a few of the removal tools but still seem to have the .tmp files thousands of them in c:/ and my docs.

With the two icons always appearing on my desktop xp update and help support centre something like that

Here is my hijackthis log any help would be very appreciated


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:05:00, on 01/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\WService.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Naimh\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvtq.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Naimh\Local Settings\Temporary Internet Files\Content.IE5\57KKE4B6\install_sbd_en[1].exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [30ca449a] rundll32.exe "C:\WINDOWS\system32\bjyuamik.dll",b
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Naimh\LOCALS~1\Temp\200831171442_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Naimh\LOCALS~1\Temp\20083117141_mcinfo.exe /insfin
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BM33f97706] Rundll32.exe "C:\WINDOWS\system32\fpouykbx.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost .exe -all
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?970d4b68e3f340db887575d1f6f7d18d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?970d4b68e3f340db887575d1f6f7d18d
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 7907 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:45 PM

Posted 07 March 2008 - 12:01 AM

Hello cooki2222,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

You need to disable your Norton Antivirus before running ComboFix, as it will prevent it from running.


To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cooki2222

cooki2222
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 08 March 2008 - 06:05 PM

here is the log from combofix


ComboFix 08-03-07.4 - Naimh 2008-03-08 22:48:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.547 [GMT 0:00]
Running from: C:\Documents and Settings\Naimh\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\close.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\htmlctrl.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\login.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\unmax.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\wardrobe.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\WINDOWS\BM33f97706.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dudlapfy.ini
C:\WINDOWS\system32\gemxxnps.ini
C:\WINDOWS\system32\hbwkjgar.ini
C:\WINDOWS\system32\ijklegip.ini
C:\WINDOWS\system32\iwxxdqxq.ini
C:\WINDOWS\system32\kbqksddq.ini
C:\WINDOWS\system32\kdcnbbsy.ini
C:\WINDOWS\system32\kdomneua.ini
C:\WINDOWS\system32\kimauyjb.ini
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini2
C:\WINDOWS\system32\ohwsipqw.dll
C:\WINDOWS\system32\qxqdxxwi.dll
C:\WINDOWS\system32\uuxigkkp.dll
C:\WINDOWS\system32\vnftdhiu.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 21:45 . 2008-03-08 21:45 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-03-08 21:45 . 2008-03-08 21:44 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-03-08 21:45 . 2008-03-08 21:44 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-08 21:45 . 2008-03-08 21:44 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-02 22:42 . 2008-03-08 21:20 1,307,981 ---hs---- C:\WINDOWS\system32\xreqhhvv.ini
2008-03-02 22:42 . 2008-03-02 22:42 1,286,261 ---hs---- C:\WINDOWS\system32\kimauyjb.tmp
2008-03-02 20:23 . 2008-03-02 20:23 82,757,930 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-03-01 23:26 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-01 23:25 . 2008-03-01 23:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-01 22:22 . 2008-03-01 22:53 27,652 ---hs---- C:\WINDOWS\system32\ymhbghtt.dllbox
2008-03-01 21:38 . 2008-03-01 22:20 <DIR> d-------- C:\VundoFix Backups
2008-03-01 21:38 . 2008-03-01 21:38 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-01 17:16 . 2008-03-08 21:45 <DIR> d-------- C:\Program Files\Symantec
2008-03-01 17:15 . 2008-03-08 21:45 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-01 17:15 . 2008-03-01 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-25 20:42 . 2008-03-01 17:22 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-18 13:32 . 2008-02-23 10:49 1,405,625 --ahs---- C:\WINDOWS\system32\yyjssdwo.ini
2008-02-09 16:09 . 2008-02-15 09:42 1,454,108 --ahs---- C:\WINDOWS\system32\lfoetgpl.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-08 22:10 --------- d-----w C:\Documents and Settings\Naimh\Application Data\uTorrent
2008-03-08 21:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 21:26 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-02 20:52 --------- d-----w C:\Program Files\MSN Messenger
2008-03-01 23:26 --------- d-----w C:\Program Files\Java
2008-03-01 22:46 --------- d-----w C:\Program Files\GemMaster
2008-03-01 19:52 --------- d-----w C:\Program Files\QuickTime
2008-03-01 19:51 --------- d-----w C:\Program Files\Windows Defender
2008-03-01 19:51 --------- d-----w C:\Program Files\Kontiki
2008-03-01 19:51 --------- d-----w C:\Program Files\iTunes
2008-03-01 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-25 20:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 19:48 --------- d-----w C:\Program Files\Google
2008-02-06 17:58 --------- d-----w C:\Program Files\uTorrent
2008-02-03 22:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 22:34 --------- d-----w C:\Program Files\Lavasoft
2008-01-11 22:47 --------- d-----w C:\Program Files\iPod
2008-01-11 22:41 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-04 23:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-01-04 18:20 8,224 ----a-w C:\Documents and Settings\Naimh\Application Data\GDIPFONTCACHEV1.DAT
2007-05-19 23:11 104 --sh--r C:\WINDOWS\system32\DBDB1344D3.sys
2007-05-19 23:11 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
<pre>
----a-w			39,792 2008-03-01 17:06:01  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 2,321,600 2008-03-01 17:06:30  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w		   180,269 2008-03-01 17:05:12  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   847,872 2008-03-01 17:06:00  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w			68,856 2008-02-25 19:47:18  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   267,048 2008-03-01 17:05:52  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   110,592 2008-03-01 18:28:13  C:\Program Files\McAfee\SpamKiller\MS0516~1 .EXE
----a-w		   110,592 2008-03-01 18:28:16  C:\Program Files\McAfee\SpamKiller\MS0516~2 .EXE
----a-w		   110,592 2008-03-01 18:28:19  C:\Program Files\McAfee\SpamKiller\MS0516~3 .EXE
----a-w		   110,592 2008-03-01 18:28:20  C:\Program Files\McAfee\SpamKiller\MS0516~4 .EXE
----a-w		   110,592 2008-03-01 18:28:22  C:\Program Files\McAfee\SpamKiller\MS1617~1 .EXE
----a-w		   110,592 2008-03-01 18:28:23  C:\Program Files\McAfee\SpamKiller\MS1617~2 .EXE
----a-w		   110,592 2008-03-01 18:28:25  C:\Program Files\McAfee\SpamKiller\MS1617~3 .EXE
----a-w		   110,592 2008-03-01 18:28:27  C:\Program Files\McAfee\SpamKiller\MS1617~4 .EXE
----a-w		   110,592 2008-03-01 18:28:28  C:\Program Files\McAfee\SpamKiller\MS162B~1 .EXE
----a-w		   110,592 2008-03-01 18:28:30  C:\Program Files\McAfee\SpamKiller\MS162B~2 .EXE
----a-w		   110,592 2008-03-01 18:28:31  C:\Program Files\McAfee\SpamKiller\MS162B~3 .EXE
----a-w		   110,592 2008-03-01 18:28:32  C:\Program Files\McAfee\SpamKiller\MS162B~4 .EXE
----a-w		   110,592 2008-03-01 18:28:34  C:\Program Files\McAfee\SpamKiller\MS18BE~1 .EXE
----a-w		   110,592 2008-03-01 18:28:37  C:\Program Files\McAfee\SpamKiller\MS18BE~2 .EXE
----a-w		   110,592 2008-03-01 18:28:40  C:\Program Files\McAfee\SpamKiller\MS18BE~3 .EXE
----a-w		   110,592 2008-03-01 18:28:41  C:\Program Files\McAfee\SpamKiller\MS18BE~4 .EXE
----a-w		   110,592 2008-03-01 18:28:43  C:\Program Files\McAfee\SpamKiller\MS849B~1 .EXE
----a-w		   110,592 2008-03-01 18:28:46  C:\Program Files\McAfee\SpamKiller\MS849B~2 .EXE
----a-w		   110,592 2008-03-01 17:05:07  C:\Program Files\McAfee\SpamKiller\MS849B~3 .EXE
----a-w		   110,592 2008-03-01 17:12:56  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w		   110,592 2008-03-01 18:28:48  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
----a-w		   110,592 2008-03-01 18:28:50  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w		   110,592 2008-03-01 18:28:52  C:\Program Files\McAfee\SpamKiller\MSKAGE~3 .EXE
----a-w		   110,592 2008-03-01 18:28:52  C:\Program Files\McAfee\SpamKiller\MSKAGE~4 .EXE
----a-w		 1,005,096 2008-03-01 17:12:23  C:\Program Files\McAfee.com\Personal Firewall\MPFTray .exe
----a-w		   151,552 2008-03-01 17:05:14  C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
----a-w		   163,840 2008-03-01 17:13:22  C:\Program Files\McAfee.com\VSO\mcvsshld .exe
----a-w			53,248 2008-03-01 17:04:00  C:\Program Files\McAfee.com\VSO\oasclnt .exe
----a-w		 1,694,208 2008-03-01 17:06:21  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-03-01 17:06:24  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w		   286,720 2008-02-04 19:18:34  C:\Program Files\QuickTime\qttask					  .exe
----a-w		   286,720 2008-03-01 18:37:32  C:\Program Files\QuickTime\qttask					 .exe
----a-w		   286,720 2008-03-01 18:37:34  C:\Program Files\QuickTime\qttask					.exe
----a-w		   286,720 2008-03-01 18:37:36  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   286,720 2008-03-01 18:37:39  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   286,720 2008-03-01 18:37:42  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   286,720 2008-03-01 18:37:45  C:\Program Files\QuickTime\qttask				.exe
----a-w		   286,720 2008-03-01 18:37:47  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   286,720 2008-03-01 18:37:50  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   286,720 2008-03-01 18:37:53  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   286,720 2008-03-01 18:37:56  C:\Program Files\QuickTime\qttask			.exe
----a-w		   286,720 2008-03-01 18:37:58  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   286,720 2008-03-01 18:38:01  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   286,720 2008-03-01 18:38:07  C:\Program Files\QuickTime\qttask		.exe
----a-w		   286,720 2008-03-01 18:38:10  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   286,720 2008-03-01 18:38:13  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   286,720 2008-03-01 18:38:16  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   286,720 2008-03-01 18:38:20  C:\Program Files\QuickTime\qttask	.exe
----a-w		   286,720 2008-03-01 18:38:23  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-03-01 18:38:25  C:\Program Files\QuickTime\qttask  .exe
----a-w		   286,720 2008-03-01 18:38:29  C:\Program Files\QuickTime\qttask .exe
----a-w		   866,584 2008-03-01 17:05:39  C:\Program Files\Windows Defender\MSASCui .exe
----a-w			15,360 2008-03-01 10:54:50  C:\WINDOWS\system32\ctfmon .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5160D928-B20A-45E1-9317-A6A6F114149F}]
C:\WINDOWS\system32\awvtq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"WService"="WService.EXE" [2002-09-07 10:23 28672 C:\WINDOWS\system32\WService.exe]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-01 18:38 286720]
"SBI"="C:\Documents and Settings\Naimh\Local Settings\Temporary Internet Files\Content.IE5\57KKE4B6\install_sbd_en[1].exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [ ]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2008-03-01 18:29 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2008-03-01 18:29 163840]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"P2P Networking"="C:\WINDOWS\system32\P2P Networking\P2P Networking.exe" [ ]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2008-03-01 18:29 53248]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [ ]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [ ]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [ ]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [ ]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [ ]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"KAZAA"="C:\Program Files\Kazaa\kazaa.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ]
"/AutoLaunchHDD70"="C:\Program Files\PHILIPS\HDDDMM\DMM\bin\AutoLaunchHDD70.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-12-17 22:00 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2006-01-06 14:31:51 327765]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-10 05:00]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]
S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-01-22 11:41]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce1e9828-b390-11da-a989-00115062b48a}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 19:08:06 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-11 22:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 22:02:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-08 22:58:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 22:56:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-03-08 22:59:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 22:59:30
.
2008-03-08 21:37:52 --- E O F ---

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:45 PM

Posted 08 March 2008 - 10:36 PM

Hi cooki2222,


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\xreqhhvv.ini
C:\WINDOWS\system32\kimauyjb.tmp
C:\WINDOWS\vpc32.INI
C:\WINDOWS\system32\yyjssdwo.ini
C:\WINDOWS\system32\lfoetgpl.ini
C:\WINDOWS\system32\awvtq.dll

Folder:: 
C:\VundoFix Backups
C:\Program Files\Kazaa
C:\WINDOWS\system32\P2P Networking 

RenV:: 
----a-w            39,792 2008-03-01 17:06:01  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         2,321,600 2008-03-01 17:06:30  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w           180,269 2008-03-01 17:05:12  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           847,872 2008-03-01 17:06:00  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w            68,856 2008-02-25 19:47:18  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           267,048 2008-03-01 17:05:52  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           110,592 2008-03-01 18:28:13  C:\Program Files\McAfee\SpamKiller\MS0516~1 .EXE
----a-w           110,592 2008-03-01 18:28:16  C:\Program Files\McAfee\SpamKiller\MS0516~2 .EXE
----a-w           110,592 2008-03-01 18:28:19  C:\Program Files\McAfee\SpamKiller\MS0516~3 .EXE
----a-w           110,592 2008-03-01 18:28:20  C:\Program Files\McAfee\SpamKiller\MS0516~4 .EXE
----a-w           110,592 2008-03-01 18:28:22  C:\Program Files\McAfee\SpamKiller\MS1617~1 .EXE
----a-w           110,592 2008-03-01 18:28:23  C:\Program Files\McAfee\SpamKiller\MS1617~2 .EXE
----a-w           110,592 2008-03-01 18:28:25  C:\Program Files\McAfee\SpamKiller\MS1617~3 .EXE
----a-w           110,592 2008-03-01 18:28:27  C:\Program Files\McAfee\SpamKiller\MS1617~4 .EXE
----a-w           110,592 2008-03-01 18:28:28  C:\Program Files\McAfee\SpamKiller\MS162B~1 .EXE
----a-w           110,592 2008-03-01 18:28:30  C:\Program Files\McAfee\SpamKiller\MS162B~2 .EXE
----a-w           110,592 2008-03-01 18:28:31  C:\Program Files\McAfee\SpamKiller\MS162B~3 .EXE
----a-w           110,592 2008-03-01 18:28:32  C:\Program Files\McAfee\SpamKiller\MS162B~4 .EXE
----a-w           110,592 2008-03-01 18:28:34  C:\Program Files\McAfee\SpamKiller\MS18BE~1 .EXE
----a-w           110,592 2008-03-01 18:28:37  C:\Program Files\McAfee\SpamKiller\MS18BE~2 .EXE
----a-w           110,592 2008-03-01 18:28:40  C:\Program Files\McAfee\SpamKiller\MS18BE~3 .EXE
----a-w           110,592 2008-03-01 18:28:41  C:\Program Files\McAfee\SpamKiller\MS18BE~4 .EXE
----a-w           110,592 2008-03-01 18:28:43  C:\Program Files\McAfee\SpamKiller\MS849B~1 .EXE
----a-w           110,592 2008-03-01 18:28:46  C:\Program Files\McAfee\SpamKiller\MS849B~2 .EXE
----a-w           110,592 2008-03-01 17:05:07  C:\Program Files\McAfee\SpamKiller\MS849B~3 .EXE
----a-w           110,592 2008-03-01 17:12:56  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w           110,592 2008-03-01 18:28:48  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
----a-w           110,592 2008-03-01 18:28:50  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w           110,592 2008-03-01 18:28:52  C:\Program Files\McAfee\SpamKiller\MSKAGE~3 .EXE
----a-w           110,592 2008-03-01 18:28:52  C:\Program Files\McAfee\SpamKiller\MSKAGE~4 .EXE
----a-w         1,005,096 2008-03-01 17:12:23  C:\Program Files\McAfee.com\Personal Firewall\MPFTray .exe
----a-w           151,552 2008-03-01 17:05:14  C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
----a-w           163,840 2008-03-01 17:13:22  C:\Program Files\McAfee.com\VSO\mcvsshld .exe
----a-w            53,248 2008-03-01 17:04:00  C:\Program Files\McAfee.com\VSO\oasclnt .exe
----a-w         1,694,208 2008-03-01 17:06:21  C:\Program Files\Messenger\msmsgs .exe
----a-w         5,674,352 2008-03-01 17:06:24  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w           286,720 2008-02-04 19:18:34  C:\Program Files\QuickTime\qttask                      .exe
----a-w           286,720 2008-03-01 18:37:32  C:\Program Files\QuickTime\qttask                     .exe
----a-w           286,720 2008-03-01 18:37:34  C:\Program Files\QuickTime\qttask                    .exe
----a-w           286,720 2008-03-01 18:37:36  C:\Program Files\QuickTime\qttask                   .exe
----a-w           286,720 2008-03-01 18:37:39  C:\Program Files\QuickTime\qttask                  .exe
----a-w           286,720 2008-03-01 18:37:42  C:\Program Files\QuickTime\qttask                 .exe
----a-w           286,720 2008-03-01 18:37:45  C:\Program Files\QuickTime\qttask                .exe
----a-w           286,720 2008-03-01 18:37:47  C:\Program Files\QuickTime\qttask               .exe
----a-w           286,720 2008-03-01 18:37:50  C:\Program Files\QuickTime\qttask              .exe
----a-w           286,720 2008-03-01 18:37:53  C:\Program Files\QuickTime\qttask             .exe
----a-w           286,720 2008-03-01 18:37:56  C:\Program Files\QuickTime\qttask            .exe
----a-w           286,720 2008-03-01 18:37:58  C:\Program Files\QuickTime\qttask           .exe
----a-w           286,720 2008-03-01 18:38:01  C:\Program Files\QuickTime\qttask          .exe
----a-w           286,720 2008-03-01 18:38:07  C:\Program Files\QuickTime\qttask        .exe
----a-w           286,720 2008-03-01 18:38:10  C:\Program Files\QuickTime\qttask       .exe
----a-w           286,720 2008-03-01 18:38:13  C:\Program Files\QuickTime\qttask      .exe
----a-w           286,720 2008-03-01 18:38:16  C:\Program Files\QuickTime\qttask     .exe
----a-w           286,720 2008-03-01 18:38:20  C:\Program Files\QuickTime\qttask    .exe
----a-w           286,720 2008-03-01 18:38:23  C:\Program Files\QuickTime\qttask   .exe
----a-w           286,720 2008-03-01 18:38:25  C:\Program Files\QuickTime\qttask  .exe
----a-w           286,720 2008-03-01 18:38:29  C:\Program Files\QuickTime\qttask .exe
----a-w           866,584 2008-03-01 17:05:39  C:\Program Files\Windows Defender\MSASCui .exe
----a-w            15,360 2008-03-01 10:54:50  C:\WINDOWS\system32\ctfmon .exe

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5160D928-B20A-45E1-9317-A6A6F114149F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KAZAA"=- 
"P2P Networking"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 08 March 2008 - 10:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cooki2222

cooki2222
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 10 March 2008 - 03:24 PM

ComboFix 08-03-07.4 - Naimh 2008-03-10 19:59:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.577 [GMT 0:00]
Running from: C:\Documents and Settings\Naimh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Naimh\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\kimauyjb.tmp
C:\WINDOWS\system32\lfoetgpl.ini
C:\WINDOWS\system32\xreqhhvv.ini
C:\WINDOWS\system32\yyjssdwo.ini
C:\WINDOWS\vpc32.INI
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\awvtq.dll.bad
C:\VundoFix Backups\bxlbdswt.dll.bad
C:\VundoFix Backups\cubwbqpm.ini.bad
C:\VundoFix Backups\mpqbwbuc.dll.bad
C:\VundoFix Backups\qtvwa.ini.bad
C:\VundoFix Backups\qtvwa.ini2.bad
C:\VundoFix Backups\ymhbghtt.dllbox.bad
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\kimauyjb.tmp
C:\WINDOWS\system32\lfoetgpl.ini
C:\WINDOWS\system32\xreqhhvv.ini
C:\WINDOWS\system32\ymhbghtt.dllbox
C:\WINDOWS\system32\yyjssdwo.ini
C:\WINDOWS\vpc32.INI

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 20:16 . 2008-03-10 20:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:16 . 2008-03-10 20:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-08 21:45 . 2008-03-08 21:45 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-03-08 21:45 . 2008-03-08 21:44 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-03-08 21:45 . 2008-03-08 21:44 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-08 21:45 . 2008-03-08 21:44 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-02 20:23 . 2008-03-02 20:23 82,757,930 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-03-01 23:26 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-01 23:25 . 2008-03-01 23:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-01 17:16 . 2008-03-08 21:45 <DIR> d-------- C:\Program Files\Symantec
2008-03-01 17:15 . 2008-03-08 21:45 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-01 17:15 . 2008-03-01 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-25 20:42 . 2008-03-01 17:22 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-10 20:03 --------- d-----w C:\Program Files\MSN Messenger
2008-03-10 19:59 --------- d-----w C:\Program Files\Windows Defender
2008-03-10 19:59 --------- d-----w C:\Program Files\QuickTime
2008-03-10 19:58 --------- d-----w C:\Program Files\iTunes
2008-03-08 22:10 --------- d-----w C:\Documents and Settings\Naimh\Application Data\uTorrent
2008-03-08 21:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 21:26 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-01 23:26 --------- d-----w C:\Program Files\Java
2008-03-01 22:46 --------- d-----w C:\Program Files\GemMaster
2008-03-01 19:51 --------- d-----w C:\Program Files\Kontiki
2008-03-01 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-25 20:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 19:48 --------- d-----w C:\Program Files\Google
2008-02-06 17:58 --------- d-----w C:\Program Files\uTorrent
2008-02-03 22:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 22:34 --------- d-----w C:\Program Files\Lavasoft
2008-01-11 22:47 --------- d-----w C:\Program Files\iPod
2008-01-11 22:41 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-04 23:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-01-04 18:20 8,224 ----a-w C:\Documents and Settings\Naimh\Application Data\GDIPFONTCACHEV1.DAT
2007-05-19 23:11 104 --sh--r C:\WINDOWS\system32\DBDB1344D3.sys
2007-05-19 23:11 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-03-01 17:06 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-03-01 17:06 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-01 17:05 180269]
"WService"="WService.EXE" [2002-09-07 10:23 28672 C:\WINDOWS\system32\WService.exe]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-03-01 17:05 866584]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-01 17:05 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-01 18:38 286720]
"SBI"="C:\Documents and Settings\Naimh\Local Settings\Temporary Internet Files\Content.IE5\57KKE4B6\install_sbd_en[1].exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-03-01 17:06 39792]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [ ]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2008-03-01 17:05 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2008-03-01 17:13 163840]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2008-03-01 17:04 53248]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [ ]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2008-03-01 17:12 1005096]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [ ]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [ ]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [ ]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ]
"/AutoLaunchHDD70"="C:\Program Files\PHILIPS\HDDDMM\DMM\bin\AutoLaunchHDD70.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-12-17 22:00 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2006-01-06 14:31:51 327765]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-10 05:00]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]
S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-01-22 11:41]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce1e9828-b390-11da-a989-00115062b48a}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 19:08:06 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-11 22:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-10 20:02:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-10 20:07:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 20:16:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-10 20:20:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 20:20:52
ComboFix2.txt 2008-03-08 22:59:33
.
2008-03-08 21:37:52 --- E O F ---


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22:41, on 10/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Naimh\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Naimh\Local Settings\Temporary Internet Files\Content.IE5\57KKE4B6\install_sbd_en[1].exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [/AutoLaunchHDD70] C:\Program Files\PHILIPS\HDDDMM\DMM\bin\AutoLaunchHDD70.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?970d4b68e3f340db887575d1f6f7d18d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?970d4b68e3f340db887575d1f6f7d18d
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 11060 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:45 PM

Posted 10 March 2008 - 03:38 PM

Hi cooki2222,

Looks much better, but we still need to remove some items. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Naimh\Local Settings\Temporary Internet Files\Content.IE5\57KKE4B6\install_sbd_en[1].exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)



Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixService.bat

@echo off
sc stop MSControlService
sc delete MSControlService
exit

Double click FixService.bat. A window will open and close. This is normal.

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 cooki2222

cooki2222
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 10 March 2008 - 04:48 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:53, on 10/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Naimh\Desktop\HiJackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [/AutoLaunchHDD70] C:\Program Files\PHILIPS\HDDDMM\DMM\bin\AutoLaunchHDD70.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?970d4b68e3f340db887575d1f6f7d18d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?970d4b68e3f340db887575d1f6f7d18d
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 10737 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:45 PM

Posted 10 March 2008 - 04:53 PM

Hi cooki2222,

Please tell me how the computer is running, and then we will finish up. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 cooki2222

cooki2222
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 10 March 2008 - 04:56 PM

its running fine doesnt seem to be any problems

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:45 PM

Posted 10 March 2008 - 04:58 PM

Hi cooki2222,

That's music to my ears :thumbsup:.

Your log looks clean! :blink: Good job on the cleanup!


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 cooki2222

cooki2222
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 10 March 2008 - 05:01 PM

thanks very much glad i was easy to work with lol

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:45 PM

Posted 10 March 2008 - 05:05 PM

You are very welcome. I hope your computer continues to run smoothly. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:45 PM

Posted 16 March 2008 - 02:52 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users