Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Viru Identified As "lop Kriv [1]"


  • This topic is locked This topic is locked
10 replies to this topic

#1 dballa

dballa

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 22 April 2008 - 09:07 PM

I downloaded a file on the internet last week that contained a trojan house virus. I have AVG 7.5 but it could not stop the infection. I moved it to the virus vault multiple times (as if it was reproducing). I found website page titled "The Parasite Fight" and followed the recommended instructions: deleted temp files, removed "My Way Search Assistant" from add/remove programs, and dowloaded Ad Aware, SpyHunter and Windows Defender. Each indentified many infections with registry and cookies. I purchased Advanced Registry Optimizer to supposedly correct over 200 registry errors. At this point, it seemed to correct and remove viruses from registry but several succesive scans produced renewed infections in cookies. Ad Aware and SpyHunter remove them but they just keep coming back. AVG continually flags the same "LOP" virus (moved to virus vault). I still frequently see pop up ads that are full screen. I even carefully repeated all of the steps suggested in "The Parasite Fight." I am NOT a computer expert my knowledge of this stuff is quite limited, so please keep this in mind when responding. I appreciate any suggestions, even if it ultimately means takng the computer to a repair shop and having it wiped and restored.

Note: I pasted the main.txt report below but I did not get (after two attempts) an extra.txt file.

Deckard's System Scanner v20071014.68
Run by Dan Balla on 2008-04-22 20:26:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Dan Balla.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:38 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Dan Balla\Local Settings\Temporary Internet Files\Content.IE5\IG4UEWO1\dss[1].exe
C:\DOCUME~1\DANBAL~1\LOCALS~1\TEMPOR~1\Content.IE5\7PRL92DH\DANBAL~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00704276-CF2C-4C14-93B5-800ED08DF713} - C:\WINDOWS\system32\rqRhIBQh.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {C15B77C1-836E-414C-A157-B6A54906A706} - (no file)
O2 - BHO: (no name) - {FCBABDA2-801E-4F51-B6E8-0122032FB16B} - C:\WINDOWS\system32\khfGywtQ.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [AaUsa6bBde] C:\Documents and Settings\All Users\Application Data\bingdkdi\hchqnivq.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUYYYYYYYYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114034572933
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124633824937
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: khfGywtQ - C:\WINDOWS\SYSTEM32\khfGywtQ.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 10337 bytes

-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-21 22:29:25 0 dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-21 22:28:58 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Yahoo!
2008-04-20 09:52:00 0 d-------- C:\!KillBox
2008-04-20 09:23:08 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-04-20 09:22:43 0 d-------- C:\Program Files\MSECACHE
2008-04-20 01:27:44 0 d-------- C:\Program Files\Lavasoft
2008-04-20 01:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 01:26:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 01:23:57 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Sammsoft
2008-04-20 01:23:38 0 d-------- C:\Program Files\Advanced Registry Optimizer
2008-04-20 01:20:37 0 d-------- C:\Program Files\Windows Defender
2008-04-19 23:04:39 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\MSNInstaller
2008-04-19 22:15:23 0 d-------- C:\Program Files\Enigma Software Group
2008-04-17 19:39:57 324873 --ahs---- C:\WINDOWS\system32\hQBIhRqr.ini2
2008-04-17 19:39:48 272896 --a------ C:\WINDOWS\system32\rqRhIBQh.dll
2008-04-16 22:01:23 7059 --ahs---- C:\WINDOWS\system32\FgQpAJjl.ini2
2008-04-16 21:56:12 38400 --a------ C:\WINDOWS\system32\khfGywtQ.dll
2008-04-16 21:55:24 0 d-------- C:\Documents and Settings\All Users\Application Data\bingdkdi
2008-04-15 23:15:38 68 --a------ C:\WINDOWS\E
2008-03-24 18:03:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-21 22:52:21 8678 --a------ C:\WINDOWS\hh.dat
2008-04-21 22:51:41 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\AVG7
2008-04-21 22:29:15 0 d-------- C:\Program Files\Yahoo!
2008-04-20 01:26:20 0 d-------- C:\Program Files\Common Files
2008-04-19 23:13:46 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Move Networks
2008-04-13 21:16:44 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Adobe
2008-04-13 21:11:35 1880 --a------ C:\WINDOWS\AUTOLNCH.REG
2008-04-11 20:28:30 0 d-------- C:\Program Files\Java
2008-03-29 17:11:06 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Apple Computer
2008-03-20 14:44:25 0 d-------- C:\Program Files\iTunes
2008-03-20 14:44:16 0 d-------- C:\Program Files\iPod
2008-03-16 14:34:20 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Winamp
2008-03-15 14:01:08 0 d-------- C:\Program Files\Online Services
2008-02-18 00:12:48 49992 --a------ C:\Documents and Settings\Dan Balla\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00704276-CF2C-4C14-93B5-800ED08DF713}]
04/17/2008 07:39 PM 272896 --a------ C:\WINDOWS\system32\rqRhIBQh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C15B77C1-836E-414C-A157-B6A54906A706}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCBABDA2-801E-4F51-B6E8-0122032FB16B}]
04/16/2008 09:56 PM 38400 --a------ C:\WINDOWS\system32\khfGywtQ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/16/2008 06:04 AM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 09:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 09:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 09:17 PM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 05:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/01/2008 12:13 AM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [09/01/2003 08:32 AM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [01/10/2008 11:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [03/15/2007 07:16 PM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [01/10/2008 11:41 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/25/2007 02:28 PM]

C:\Documents and Settings\Dan Balla\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [4/20/2005 7:43:24 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"AaUsa6bBde"=C:\Documents and Settings\All Users\Application Data\bingdkdi\hchqnivq.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FCBABDA2-801E-4F51-B6E8-0122032FB16B}"= C:\WINDOWS\system32\khfGywtQ.dll [04/16/2008 09:56 PM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGywtQ]
khfGywtQ.dll 04/16/2008 09:56 PM 38400 C:\WINDOWS\SYSTEM32\khfGywtQ.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRhIBQh

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19e12c3e-aee0-11db-abe8-001320194846}]
AutoRun\command- F:\LaunchU3.exe -a


-- End of Deckard's System Scanner: finished at 2008-04-22 20:27:16 ------------

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 25 April 2008 - 02:52 AM

Hello Dballa and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 dballa

dballa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 26 April 2008 - 02:59 PM

To: Thunder
From: Dan Balla

Thank you for the detailed instructions and your assistance. I have completed everything you suggested. I do not know if there is any virus remaining on y computer, but here are the logs that you requested: 1) Combofix.txt log, 2) Malwarebytes log, and 3) new Hijack this log. Can you tell by looking at these logs if the virus is completely gone? Please advise me on what I should do next. Are there any additional steps? Are there any settings to adjust on my computer? Should I delete combofix when done? I greatly appreciate your help.

DBalla


COMBOFIX LOG:

ComboFix 08-04-24.1 - Dan Balla 2008-04-26 14:15:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.172 [GMT -5:00]
Running from: C:\Documents and Settings\Dan Balla\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan Balla\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\SYSTEM32\FgQpAJjl.ini
C:\WINDOWS\SYSTEM32\FgQpAJjl.ini2
C:\WINDOWS\SYSTEM32\hQBIhRqr.ini
C:\WINDOWS\system32\khfGywtQ.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 13:16 . 2008-04-26 13:16 <DIR> d-------- C:\Documents and Settings\Dan Balla\Application Data\Malwarebytes
2008-04-26 13:15 . 2008-04-26 13:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 13:15 . 2008-04-26 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 20:56 . 2008-04-25 20:56 <DIR> d-------- C:\Cache
2008-04-22 20:14 . 2008-04-22 20:14 <DIR> d-------- C:\Deckard
2008-04-21 22:29 . 2008-04-21 22:29 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-21 22:28 . 2008-04-21 22:28 <DIR> d-------- C:\Documents and Settings\Dan Balla\Application Data\Yahoo!
2008-04-20 09:52 . 2008-04-21 20:40 <DIR> d-------- C:\!KillBox
2008-04-20 09:23 . 2008-04-20 09:23 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-20 09:22 . 2008-04-20 09:22 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-20 01:27 . 2008-04-20 01:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-20 01:27 . 2008-04-20 01:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 01:26 . 2008-04-20 01:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 01:20 . 2008-04-20 01:20 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-19 23:04 . 2008-04-19 23:04 <DIR> d-------- C:\Documents and Settings\Dan Balla\Application Data\MSNInstaller
2008-04-19 22:15 . 2008-04-19 22:15 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-16 21:55 . 2008-04-17 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\bingdkdi
2008-04-15 23:15 . 2008-04-15 23:15 68 --a------ C:\WINDOWS\E

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 03:51 --------- d-----w C:\Documents and Settings\Dan Balla\Application Data\AVG7
2008-04-22 03:29 --------- d-----w C:\Program Files\Yahoo!
2008-04-22 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-20 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-20 04:13 --------- d-----w C:\Documents and Settings\Dan Balla\Application Data\Move Networks
2008-04-14 02:11 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG
2008-04-12 01:28 --------- d-----w C:\Program Files\Java
2008-03-29 22:11 --------- d-----w C:\Documents and Settings\Dan Balla\Application Data\Apple Computer
2008-03-20 19:44 --------- d-----w C:\Program Files\iTunes
2008-03-20 19:44 --------- d-----w C:\Program Files\iPod
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-16 19:34 --------- d-----w C:\Documents and Settings\Dan Balla\Application Data\Winamp
2008-03-11 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-26 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-18 05:12 49,992 ----a-w C:\Documents and Settings\Dan Balla\Application Data\GDIPFONTCACHEV1.DAT
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-25 14:28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 06:04 579584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 05:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-09-01 08:32 1200178]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 18:44 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-04-20 19:43:24 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"AaUsa6bBde"= C:\Documents and Settings\All Users\Application Data\bingdkdi\hchqnivq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 12:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
--a------ 2000-12-05 13:02 86016 C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-12-10 15:35 323216 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-01-23 14:47 847872 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-25 14:28 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-12-20 10:16 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1731:UDP"= 1731:UDP:Windows Media Format SDK (iexplore.exe)
"1730:UDP"= 1730:UDP:Windows Media Format SDK (iexplore.exe)
"1737:UDP"= 1737:UDP:Windows Media Format SDK (iexplore.exe)
"1736:UDP"= 1736:UDP:Windows Media Format SDK (iexplore.exe)
"1742:UDP"= 1742:UDP:Windows Media Format SDK (iexplore.exe)
"1743:UDP"= 1743:UDP:Windows Media Format SDK (iexplore.exe)

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19e12c3e-aee0-11db-abe8-001320194846}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 19:33:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-26 19:22:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-20 16:46:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-15 16:46:57 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 14:20:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Completion time: 2008-04-26 14:27:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 19:27:01

Pre-Run: 21,322,461,184 bytes free
Post-Run: 21,321,527,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

182 --- E O F --- 2008-04-23 00:04:44



HERE IS THE MALWAREBYTES LOG:

Malwarebytes' Anti-Malware 1.11
Database version: 686

Scan type: Quick Scan
Objects scanned: 35972
Time elapsed: 9 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 24
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\rqRhIBQh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\khfGywtQ.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{354267f0-59e8-4ea2-8f95-8a877782eb49} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{354267f0-59e8-4ea2-8f95-8a877782eb49} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fcbabda2-801e-4f51-b6e8-0122032fb16b} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcbabda2-801e-4f51-b6e8-0122032fb16b} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfgywtq (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fcbabda2-801e-4f51-b6e8-0122032fb16b} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhibqh -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhibqh -> Delete on reboot.

Folders Infected:
C:\Program Files\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50 (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\rqRhIBQh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\hQBIhRqr.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\hQBIhRqr.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\khfGywtQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Advanced Registry Optimizer\ARO.chm (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\ARO.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\AROSS.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CheckForV4.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CleanSchedule.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\soref.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.dat (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\uninstall.hta (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Uninstall Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\1208675157.reg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\1208678292.reg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\1208717005.reg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\backup.bin (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\ExcludeList.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\results.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\TempHLList.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmi (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000002.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000002.rmi (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Desktop\Check PC For Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Microsoft\Internet Explorer\Quick Launch\Check PC For Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.



AND FINALLY, HERE IS THE NEW HIJACK THIS LOG:

Deckard's System Scanner v20071014.68
Run by Dan Balla on 2008-04-26 14:43:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Dan Balla.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:41 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Dan Balla\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dan Balla.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [AaUsa6bBde] C:\Documents and Settings\All Users\Application Data\bingdkdi\hchqnivq.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUYYYYYYYYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114034572933
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124633824937
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9645 bytes

-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 14:44:24 0 d-------- C:\Program Files\Trend Micro
2008-04-26 14:15:32 0 d-------- C:\cmdcons
2008-04-26 14:10:51 68096 --a------ C:\WINDOWS\zip.exe
2008-04-26 14:10:51 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-26 14:10:51 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-26 14:10:51 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-26 14:10:51 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-26 14:10:51 98816 --a------ C:\WINDOWS\sed.exe
2008-04-26 14:10:51 80412 --a------ C:\WINDOWS\grep.exe
2008-04-26 14:10:51 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-26 13:16:01 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Malwarebytes
2008-04-26 13:15:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 13:15:44 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 20:56:49 0 d-------- C:\Cache
2008-04-21 22:29:25 0 dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-21 22:28:58 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Yahoo!
2008-04-20 09:52:00 0 d-------- C:\!KillBox
2008-04-20 09:23:08 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-04-20 09:22:43 0 d-------- C:\Program Files\MSECACHE
2008-04-20 01:27:44 0 d-------- C:\Program Files\Lavasoft
2008-04-20 01:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 01:26:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 01:20:37 0 d-------- C:\Program Files\Windows Defender
2008-04-19 23:04:39 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\MSNInstaller
2008-04-19 22:15:23 0 d-------- C:\Program Files\Enigma Software Group
2008-04-16 21:55:24 0 d-------- C:\Documents and Settings\All Users\Application Data\bingdkdi
2008-04-15 23:15:38 68 --a------ C:\WINDOWS\E


-- Find3M Report ---------------------------------------------------------------

2008-04-23 22:51:41 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\AVG7
2008-04-21 22:52:21 8678 --a------ C:\WINDOWS\hh.dat
2008-04-21 22:29:15 0 d-------- C:\Program Files\Yahoo!
2008-04-20 01:26:20 0 d-------- C:\Program Files\Common Files
2008-04-19 23:13:46 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Move Networks
2008-04-13 21:16:44 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Adobe
2008-04-13 21:11:35 1880 --a------ C:\WINDOWS\AUTOLNCH.REG
2008-04-11 20:28:30 0 d-------- C:\Program Files\Java
2008-03-29 17:11:06 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Apple Computer
2008-03-20 14:44:25 0 d-------- C:\Program Files\iTunes
2008-03-20 14:44:16 0 d-------- C:\Program Files\iPod
2008-03-16 14:34:20 0 d-------- C:\Documents and Settings\Dan Balla\Application Data\Winamp
2008-03-15 14:01:08 0 d-------- C:\Program Files\Online Services
2008-02-18 00:12:48 49992 --a------ C:\Documents and Settings\Dan Balla\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/16/2008 06:04 AM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 09:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 09:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 09:17 PM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 05:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/01/2008 12:13 AM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [09/01/2003 08:32 AM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [01/10/2008 11:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [03/15/2007 07:16 PM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [01/10/2008 11:41 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/25/2007 02:28 PM]

C:\Documents and Settings\Dan Balla\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [4/20/2005 7:43:24 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"AaUsa6bBde"=C:\Documents and Settings\All Users\Application Data\bingdkdi\hchqnivq.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19e12c3e-aee0-11db-abe8-001320194846}]
AutoRun\command- F:\LaunchU3.exe -a


-- End of Deckard's System Scanner: finished at 2008-04-26 14:45:00 -----------

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 27 April 2008 - 05:02 AM

Hello Dan,

Looks like all malware is gone,
just some cleaning up to do :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [AaUsa6bBde] C:\Documents and Settings\All Users\Application Data\bingdkdi\hchqnivq.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 dballa

dballa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 28 April 2008 - 12:06 AM

Thunder,

I thought that all infections had been removed, but tonight I noticed IE suddenly freezing up and operating slowly. Windows popped up a warning that my computer may be running slow due to ad infections. I ran Malwarebytes quick scan and it detected nothing. However, Ad Aware detected 52 infections. Below is an edited copy of that log. Why do you think it keeps coming back after it seemingly has been removed?

I earlier today deleted Combo Fix and updated Java per your recommendations. Also, I noticed that something removed my desktop shortcut for Advanced Registry Optimizer. The program still exists but I cannot find it to open. Any thoughts on why this happened?

Thank you for your help.
Dan


Ad-Aware 2007 Build
Log File Created on: 2008-04-27 23:42:29
Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef
Computer name: DFM4B771
Name of user performing scan: SYSTEM

System information
===========================
Number of processors: 1
Processor type: Intel® Pentium® 4 CPU 2.80GHz
Memory Available: 28%
Total Physical Memory: 526462976 Bytes
Available Physical Memory: 142864384 Bytes
Total Page File Size: 1285718016 Bytes
Available On Page File: 861982720 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 1921105920 Bytes
OS: Microsoft Windows XP Service Pack 2 (Build 2600)

Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3


Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Create and save WebUpdate log file

Databaseinfo
===========================
Version number: 73
Build Number: 0
Build Date and Time: 2008/04/23 04:55:34

Scan Statistics
===========================
Method: Smart
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: Off

Item Scanned: 150946
Infections Detected: 52
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 0 0
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 52 52
File Hash Scan..: 0 0

Infections Found
===========================
Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat media.adrevolver.com BIGipServerar-slave /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat revsci.net NETID01 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat revsci.net NETSEGS_K06578 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat revsci.net NETSEGS_H07710 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat revsci.net rsi_cls_1000000 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat revsci.net rsi_segs_1000000 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat revsci.net NETSEGS_J05532 /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat adrevolver.com adrev_adpath /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat adrevolver.com adrev_adpath2 /
Item Id: 600000263 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat mediaplex.com svid /
Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tribalfusion.com ANON_ID /
Item Id: 600000144 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat doubleclick.net id /
Item Id: 600000179 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat atdmt.com AA002 /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat timeinc.122.2o7.net s_vi /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat casalemedia.com CMID /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat casalemedia.com CMPS /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat casalemedia.com CMPP /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat casalemedia.com CMX1 /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat casalemedia.com CMS /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat casalemedia.com CMIMP /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat zedo.com geo /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat zedo.com ZEDOIDX /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat zedo.com ZEDOIDA /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_rokcek /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_hfex7Ekx7Dx7Fzxx /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_kefx7Dhhxxkdn /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_gijupe /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tacoda.net TID /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tacoda.net Xsd /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tacoda.net ANRTT /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tacoda.net Tsid /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tacoda.net TData /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tacoda.net Anxd /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tacoda.net Tcc /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat specificclick.net dmc /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat specificclick.net dmk /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat specificclick.net smc /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat specificclick.net smk /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat anad.tacoda.net /PC /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com ACID /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com BASE /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com ROLL /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com F1 /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com C2 /
Item Id: 600000052 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat trafficmp.com rth /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat ad.yieldmanager.com uid /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat ad.yieldmanager.com bh /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat ad.yieldmanager.com lifb /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat ad.yieldmanager.com vuday1 /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat ad.yieldmanager.com ih /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat ad.yieldmanager.com liday1 /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat ad.yieldmanager.com fl_inst /




Cleaned Infections
===========================
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat media.adrevolver.com BIGipServerar-slave /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat adrevolver.com adrev_adpath /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat adrevolver.com adrev_adpath2 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat tribalfusion.com ANON_ID /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat timeinc.122.2o7.net s_vi /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat zedo.com geo /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat zedo.com ZEDOIDX /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat zedo.com ZEDOIDA /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_rokcek /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_hfex7Ekx7Dx7Fzxx /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_kefx7Dhhxxkdn /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat 2o7.net s_vi_gijupe /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com ACID /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com BASE /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com ROLL /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com F1 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat advertising.com C2 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Dan Balla\Cookies\index.dat trafficmp.com rth /, Belonging to Tracking Cookie

End of Cleaned Infections
===========================

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 28 April 2008 - 10:08 AM

Hello Dan,

That log shows just a bunch of cookies, nothing to worry about.

That doesn't necesseraly mean nothing's wrong,
so I'd like you to run an online scan :

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • choose the second option Extended - ptotect your ....
    • Scan Options:select Scan Archives and Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
    Posted Image
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report. Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply along with a new HijackThis log.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 dballa

dballa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 29 April 2008 - 12:23 AM

Hello Thunder,

Thank you for your patience with helping me find and eliminate the infections. Per your request, I have pasted a copy of the Kaspersky scan and HiJack This logs. Please let me know how to best remove the viruses and infections found.

Regards,
Dan

KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 12:08:29 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 729511
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 64754
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:11:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04202008-012102.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Application Data\Gtek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\Application Data\SupportSoft\DellSupportCenter\Dan Balla\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\Temp\~DF5076.tmp Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\Temp\~DF5083.tmp Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dan Balla\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dan Balla\My Documents\Outlook Express ems\LINKS- CORRESPOND..DBX/[From "Dan Balla" <dballa@broadcast.net>][Date Fri, 14 Jul 2000 11:58:34 -0500]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
C:\Documents and Settings\Dan Balla\My Documents\Outlook Express ems\LINKS- CORRESPOND..DBX/[From "Dan Balla" <dballa@broadcast.net>][Date Fri, 14 Jul 2000 11:58:34 -0500]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
C:\Documents and Settings\Dan Balla\My Documents\Outlook Express ems\LINKS- CORRESPOND..DBX MailMSOutlook5: infected - 2 skipped
C:\Documents and Settings\Dan Balla\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dan Balla\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\nickarcade\nickarcade.dll_0_ Infected: not-a-virus:AdWare.Win32.BHO.w skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP937\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:12 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUYYYYYYYYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114034572933
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124633824937
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 9614 bytes

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 29 April 2008 - 08:57 AM

Hello Dan,

The only relevant item found is in the folder
C:\Documents and Settings\Dan Balla\My Documents\Outlook Express ems\LINKS- CORRESPOND..DBX/[From "Dan Balla" <dballa@broadcast.net>][Date Fri, 14 Jul 2000 11:58:34 -0500]/UNNAMED

You can either delete it using Windows Explorer or from within your Outlook Express account.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 dballa

dballa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 10 May 2008 - 10:24 AM

Hello Thunder,

I have monitored my computer by running the various virus programs over the past 10 days. Nothing had showed up until yesterday. You might recall that I mentioned Combo Fix deleted a program "Advanced Registry Optimizer," which I downloaded online. I recently reinstalled it from a CD. Afterwards, I ran Malwarebytes and it detected Advanced Registry Optimizer as a virus! What do you make of this? Did I purchase software that contains a virus? If you need a "HiJack This" log, let me know. Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.11
Database version: 690

Scan type: Full Scan (C:\|)
Objects scanned: 100889
Time elapsed: 35 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50 (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Advanced Registry Optimizer\ARO.chm (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\ARO.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\AROSS.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\AROTutorial.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CheckForV4.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CleanSchedule.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\soref.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.dat (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Uninstall Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\1209837141.reg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\1209837204.reg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\backup.bin (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\ExcludeList.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\results.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmi (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000002.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000002.rmi (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000003.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Desktop\Check PC For Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dan Balla\Application Data\Microsoft\Internet Explorer\Quick Launch\Check PC For Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 12 May 2008 - 04:08 PM

Hello Dan,

You obviously didn't update MBAM before running it again,
since it doesn't target Advanced Registry Optimizer anymore. :thumbsup:

Everything else looks fine.

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 04 June 2008 - 03:41 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users