Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
35 replies to this topic

#1 sendero

sendero

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 07 July 2006 - 06:48 AM

I tried begone and vundo fix without help.
I discovered with with adware, but I could not clean it
I run nod 32
Here is my hjk
please help

Logfile of HijackThis v1.99.1
Scan saved at 7:43:53 AM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Documents and Settings\Owner\Desktop\utorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\ePOStg256\StingPkg.Exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp5D5D.tmp\stinst32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\cleanup.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\jkkhede.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NOD32 FiX.lnk = C:\WINDOWS\system32\regedt32.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g824500.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkhede - C:\WINDOWS\SYSTEM32\jkkhede.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IUWAKKBS - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\IUWAKKBS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: M-Audio Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:33 PM

Posted 08 July 2006 - 07:57 AM

Hi sendero

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

* Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.
Please read the instructions you'll get.
It will ask you to shutdown your system using the power button instead of the normal shut down procedure.

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\SYSTEM32\winuqw32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say No.

* Open notepad and copy and paste next in it:

sc delete IUWAKKBS
sc delete PrevxAgent

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and copy the contents of the text file that opens back here.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens,Click Scan for Vundo button.
  • Once the scan is complete,Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\SYSTEM32\jkkhede.dll
    • C:\WINDOWS\system32\edehkkj.*
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
David

#3 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 08 July 2006 - 11:28 AM

david,

I am unable to install the program!
it says something in german/dutch such as "fouten opgetreden tijdens verwerking. lees het informatienvenster voor meer informatie... I capture th emessage....what shoudl I do?!
thanks for your help!

#4 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 08 July 2006 - 06:53 PM

I tried in safe mode, etc...
so I tried vundofix again and it worked!
here is the vundofix log and the hjk log...I think I am clean...what do you think??

Logfile of HijackThis v1.99.1
Scan saved at 7:47:43 PM, on 7/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\utorrent.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: AmsServer
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NOD32 FiX.lnk = C:\WINDOWS\system32\regedt32.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: vskype - (no CLSID) - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IUWAKKBS - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\IUWAKKBS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: M-Audio Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe


VundoFix V5.0.0

Checking Java version...

Java version is 1.4.2.5

Scan started at 7:02:37 PM 7/8/2006

Listing files found while scanning....

C:\windows\system32\jkkhede.dll
C:\windows\system32\ssqrs.dll
C:\windows\system32\srqss.ini
C:\windows\system32\srqss.bak1
C:\windows\system32\srqss.ini2
C:\windows\system32\srqss.tmp
Attempting to delete C:\windows\system32\jkkhede.dll
C:\windows\system32\jkkhede.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqrs.dll
C:\windows\system32\ssqrs.dll Could not be deleted.

Attempting to delete C:\windows\system32\srqss.ini
C:\windows\system32\srqss.ini Has been deleted!

Attempting to delete C:\windows\system32\srqss.bak1
C:\windows\system32\srqss.bak1 Has been deleted!

Attempting to delete C:\windows\system32\srqss.ini2
C:\windows\system32\srqss.ini2 Has been deleted!

Attempting to delete C:\windows\system32\srqss.tmp
C:\windows\system32\srqss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

:thumbsup:

#5 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 08 July 2006 - 07:10 PM

update,

Although the virtumonde infection appears gone, I have tons of popups with explorer.....INteresting, I do not use explorer!
I tried again adaware and spybot and they coudl not find anything...can you help me?
thanks

#6 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 08 July 2006 - 10:07 PM

Final update of the day,

I run nod 32 again and I have this msg

"trojan Win32/TrojanDownloader.Delf.AMB found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click "Leave" to continue and subsequently run the cleaning of all local disks. System memory infection originated from file C:\WINDOWS\g126785484.dll"

The programs crashed several times...

I tried to delete the file without any help.

Can you help me?
thanks

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:33 PM

Posted 09 July 2006 - 03:32 AM

Unfortunatley your vundo infection is still present.

Download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Reboot your system
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

Please be advised that this program will generate a "Blue Screen of Death"... this is an expected/necessary part of the process, so don't be surprised when it happens.
VirtumundoBeGone generates a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here together with a new hijackthislog.

David

#8 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 09 July 2006 - 08:37 AM

what a nightmare!

I tried to save the file to my deskktop (virtualbegone) and I couldn't...then, I run it from the floppy, it did not work, then I tried spybot again and I was able to clean it...then, I was able to save virtualbigone, and it appears clear....however I have a couple of instances of popsup with explorer.,.
here are both files...
what do you think?


[07/09/2006, 8:48:58] - VirtumundoBeGone v1.5 ( "A:\VirtumundoBeGone.exe" )
[07/09/2006, 8:49:03] - Detected System Information:
[07/09/2006, 8:49:04] - Windows Version: 5.1.2600, Service Pack 2
[07/09/2006, 8:49:04] - Current Username: Owner (Admin)
[07/09/2006, 8:49:05] - Windows is in NORMAL mode.
[07/09/2006, 8:49:06] - Searching for Browser Helper Objects:
[07/09/2006, 8:49:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/09/2006, 8:49:07] - BHO 2: {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} ()
[07/09/2006, 8:49:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:49:07] - Checking for HKLM\...\Winlogon\Notify\admparsek
[07/09/2006, 8:49:08] - Key not found: HKLM\...\Winlogon\Notify\admparsek, continuing.
[07/09/2006, 8:49:08] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/09/2006, 8:49:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:49:09] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/09/2006, 8:49:09] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/09/2006, 8:49:09] - BHO 4: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[07/09/2006, 8:49:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:49:10] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[07/09/2006, 8:49:10] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[07/09/2006, 8:49:10] - BHO 5: {82CCD15F-5A4F-4FB3-BE26-C4BC9266BFB9} ()
[07/09/2006, 8:49:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:49:11] - Checking for HKLM\...\Winlogon\Notify\ssqrs
[07/09/2006, 8:49:11] - Found: HKLM\...\Winlogon\Notify\ssqrs - This is probably Virtumundo.
[07/09/2006, 8:49:12] - Assigning {82CCD15F-5A4F-4FB3-BE26-C4BC9266BFB9} MSEvents Object
[07/09/2006, 8:49:12] - BHO list has been changed! Starting over...
[07/09/2006, 8:49:12] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/09/2006, 8:49:12] - BHO 2: {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} ()
[07/09/2006, 8:49:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:49:13] - Checking for HKLM\...\Winlogon\Notify\admparsek
[07/09/2006, 8:49:14] - Key not found: HKLM\...\Winlogon\Notify\admparsek, continuing.
[07/09/2006, 8:49:14] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/09/2006, 8:49:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:49:15] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/09/2006, 8:49:15] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/09/2006, 8:49:15] - BHO 4: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[07/09/2006, 8:49:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:49:16] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[07/09/2006, 8:49:16] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[07/09/2006, 8:49:16] - BHO 5: {82CCD15F-5A4F-4FB3-BE26-C4BC9266BFB9} (MSEvents Object)
[07/09/2006, 8:49:17] - ALERT: Found MSEvents Object!
[07/09/2006, 8:49:17] - BHO 6: {955BE0B8-BC85-4CAF-856E-8E0D8B610560} (Encarta Web Companion Helper Object)
[07/09/2006, 8:49:17] - Finished Searching Browser Helper Objects
[07/09/2006, 8:49:18] - *** Detected MSEvents Object
[07/09/2006, 8:49:18] - Trying to remove MSEvents Object...
[07/09/2006, 8:49:20] - Terminating Process: IEXPLORE.EXE
[07/09/2006, 8:49:22] - Terminating Process: RUNDLL32.EXE
[07/09/2006, 8:49:23] - Disabling Automatic Shell Restart
[07/09/2006, 8:49:23] - Terminating Process: EXPLORER.EXE
[07/09/2006, 8:50:11] - Suspending the NT Session Manager System Service
[07/09/2006, 8:50:15] - Terminating Windows NT Logon/Logoff Manager
[07/09/2006, 8:55:44] - Re-enabling Automatic Shell Restart
[07/09/2006, 8:55:44] - File to disable: C:\WINDOWS\system32\ssqrs.dll
[07/09/2006, 8:55:44] - Renaming C:\WINDOWS\system32\ssqrs.dll -> C:\WINDOWS\system32\ssqrs.dll.vir
[07/09/2006, 8:55:47] - File successfully renamed!
[07/09/2006, 8:55:47] - Removing HKLM\...\Browser Helper Objects\{82CCD15F-5A4F-4FB3-BE26-C4BC9266BFB9}
[07/09/2006, 8:55:48] - Removing HKCR\CLSID\{82CCD15F-5A4F-4FB3-BE26-C4BC9266BFB9}
[07/09/2006, 8:55:48] - Adding Kill Bit for ActiveX for GUID: {82CCD15F-5A4F-4FB3-BE26-C4BC9266BFB9}
[07/09/2006, 8:55:49] - Deleting ATLEvents/MSEvents Registry entries
[07/09/2006, 8:55:49] - Removing HKLM\...\Winlogon\Notify\ssqrs
[07/09/2006, 8:55:50] - Searching for Browser Helper Objects:
[07/09/2006, 8:55:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/09/2006, 8:55:50] - BHO 2: {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} ()
[07/09/2006, 8:55:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:55:51] - Checking for HKLM\...\Winlogon\Notify\admparsek
[07/09/2006, 8:55:51] - Key not found: HKLM\...\Winlogon\Notify\admparsek, continuing.
[07/09/2006, 8:55:51] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/09/2006, 8:55:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:55:52] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/09/2006, 8:55:52] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/09/2006, 8:55:52] - BHO 4: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[07/09/2006, 8:55:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 8:55:53] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[07/09/2006, 8:55:53] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[07/09/2006, 8:55:53] - BHO 5: {955BE0B8-BC85-4CAF-856E-8E0D8B610560} (Encarta Web Companion Helper Object)
[07/09/2006, 8:55:53] - Finished Searching Browser Helper Objects
[07/09/2006, 8:55:54] - Finishing up...
[07/09/2006, 8:55:54] - A restart is needed.
[07/09/2006, 8:55:54] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[07/09/2006, 9:13:24] - Attempting to Restart via STOP error (Blue Screen!)

[07/09/2006, 9:30:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[07/09/2006, 9:30:50] - Detected System Information:
[07/09/2006, 9:30:51] - Windows Version: 5.1.2600, Service Pack 2
[07/09/2006, 9:30:52] - Current Username: Owner (Admin)
[07/09/2006, 9:30:52] - Windows is in NORMAL mode.
[07/09/2006, 9:30:53] - Searching for Browser Helper Objects:
[07/09/2006, 9:30:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/09/2006, 9:30:53] - BHO 2: {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} ()
[07/09/2006, 9:30:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 9:30:54] - Checking for HKLM\...\Winlogon\Notify\admparsek
[07/09/2006, 9:30:55] - Key not found: HKLM\...\Winlogon\Notify\admparsek, continuing.
[07/09/2006, 9:30:55] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/09/2006, 9:30:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 9:30:56] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/09/2006, 9:30:56] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/09/2006, 9:30:57] - BHO 4: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[07/09/2006, 9:30:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/09/2006, 9:30:58] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[07/09/2006, 9:30:58] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[07/09/2006, 9:30:59] - BHO 5: {955BE0B8-BC85-4CAF-856E-8E0D8B610560} (Encarta Web Companion Helper Object)
[07/09/2006, 9:30:59] - Finished Searching Browser Helper Objects
[07/09/2006, 9:30:59] - Finishing up...
[07/09/2006, 9:31:00] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 9:34:04 AM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\utorrent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NOD32 FiX.lnk = C:\WINDOWS\system32\regedt32.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g126785484.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IUWAKKBS - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\IUWAKKBS.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: M-Audio Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:33 PM

Posted 09 July 2006 - 08:47 AM

Hey sendero,

In the short space of time between post#4 and now you have been reinfected. Is your NOD32 updated to the latest malware signatures? If not please update the program and run and full system scan. I need you to basically repeat the instructions again. On a positive note, the VirtumundoBeGone tool worked well and your Vundo infection is now gone. It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! If you don't understand a step or it doesn't work, please let me know - it's important.

* Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.
Please read the instructions you'll get.
It will ask you to shutdown your system using the power button instead of the normal shut down procedure.

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\SYSTEM32\winuqw32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say No.

* Open notepad and copy and paste next in it:

sc delete IUWAKKBS
sc delete PrevxAgent

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and copy the contents of the text file that opens back here.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g126785484.dll
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\admparsek.dll

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#10 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 09 July 2006 - 09:01 AM

I am unable to d/l http://users.telenet.be/marcvn/tools/win32delfkil.exe
it says that I need to d/l not to the desktop....
I will try to use another comp and save it to the a drive...

#11 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 09 July 2006 - 09:57 AM

here they are!

Start Time= Sun 07/09/2006 10:50:55.03
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-12-09 01:32:44 487424 ( A.... ) "C:\WINDOWS\system32\MSVCP70.DLL"
2007-12-09 01:32:44 344064 ( A.... ) "C:\WINDOWS\system32\msvcr70.dll"
2007-12-09 01:32:40 487936 ( A.... ) "C:\WINDOWS\system32\rmbe3260.dll"
2007-12-09 01:32:40 352768 ( A.... ) "C:\WINDOWS\system32\pngu3263.dll"
2007-12-09 01:32:40 131072 ( A.... ) "C:\WINDOWS\system32\pneng50.dll"
2007-12-09 01:32:40 130560 ( A.... ) "C:\WINDOWS\system32\pnc3250.dll"
2007-12-09 01:32:40 87040 ( A.... ) "C:\WINDOWS\system32\ra32sipr.dll"
2007-12-09 01:32:40 85504 ( A.... ) "C:\WINDOWS\system32\encdnet.dll"
2007-12-09 01:32:40 81920 ( A.... ) "C:\WINDOWS\system32\ra3214_4.dll"
2007-12-09 01:32:40 72704 ( A.... ) "C:\WINDOWS\system32\ra3228_8.dll"
2007-12-09 01:32:40 61952 ( A.... ) "C:\WINDOWS\system32\decdnet.dll"
2007-12-09 01:32:40 21504 ( A.... ) "C:\WINDOWS\system32\ra32dnet.dll"
2006-07-08 19:57:20 56832 ( A.... ) "C:\WINDOWS\g1075625.dll"
2006-07-08 12:50:36 56832 ( A.... ) "C:\WINDOWS\g10630859.dll"
2006-07-08 12:30:52 56832 ( A.... ) "C:\WINDOWS\g9427625.dll"
2006-07-08 11:30:50 56832 ( A.... ) "C:\WINDOWS\g5813593.dll"
2006-07-08 11:12:14 56832 ( A.... ) "C:\WINDOWS\g4608468.dll"
2006-07-08 10:50:26 56832 ( A.... ) "C:\WINDOWS\g3406609.dll"
2006-07-08 09:49:12 56832 ( A.... ) "C:\WINDOWS\g126785484.dll"
2006-07-08 09:27:24 56832 ( A.... ) "C:\WINDOWS\g125459640.dll"
2006-07-08 09:05:00 56832 ( A.... ) "C:\WINDOWS\g124136656.dll"
2006-07-08 08:01:00 56832 ( A.... ) "C:\WINDOWS\g120293140.dll"
2006-07-08 07:40:56 56832 ( A.... ) "C:\WINDOWS\g118983562.dll"
2006-07-08 07:17:06 56832 ( A.... ) "C:\WINDOWS\g117648656.dll"
2006-07-08 06:10:52 56832 ( A.... ) "C:\WINDOWS\g113686500.dll"
2006-07-08 05:49:06 56832 ( A.... ) "C:\WINDOWS\g112364546.dll"
2006-07-08 05:27:02 56832 ( A.... ) "C:\WINDOWS\g111041500.dll"
2006-07-08 04:20:46 56832 ( A.... ) "C:\WINDOWS\g107079031.dll"
2006-07-08 04:00:50 56832 ( A.... ) "C:\WINDOWS\g105876156.dll"
2006-07-08 03:40:00 56832 ( A.... ) "C:\WINDOWS\g104554312.dll"
2006-07-08 02:32:42 56832 ( A.... ) "C:\WINDOWS\g100591625.dll"
2006-07-08 02:13:18 56832 ( A.... ) "C:\WINDOWS\g99389703.dll"
2006-07-08 01:52:26 56832 ( A.... ) "C:\WINDOWS\g98187296.dll"
2006-07-08 00:48:36 56832 ( A.... ) "C:\WINDOWS\g94341656.dll"
2006-07-08 00:26:26 56832 ( A.... ) "C:\WINDOWS\g93026312.dll"
2006-07-08 00:07:14 56832 ( A.... ) "C:\WINDOWS\g91816312.dll"
2006-07-07 23:01:02 56832 ( A.... ) "C:\WINDOWS\g87853937.dll"
2006-07-07 22:39:40 56832 ( A.... ) "C:\WINDOWS\g86530343.dll"
2006-07-07 22:16:22 56832 ( A.... ) "C:\WINDOWS\g85207093.dll"
2006-07-07 20:06:06 569396 ( A.... ) "C:\WINDOWS\system32\ssqrs.dll.vir"
2006-07-07 19:12:20 ( .D... ) "C:\Documents and Settings\Owner\Application Data\foobar2000"
2006-07-07 18:57:52 ( .D... ) "C:\Program Files\foobar2000"
2006-07-07 18:08:08 56832 ( A.... ) "C:\WINDOWS\g70191953.dll"
2006-07-07 18:05:32 ( .D... ) "C:\Program Files\FireTune"
2006-07-07 18:05:08 737280 ( A.... ) "C:\WINDOWS\iun6002.exe"
2006-07-07 17:43:34 56832 ( A.... ) "C:\WINDOWS\g68867328.dll"
2006-07-07 17:23:50 56832 ( A.... ) "C:\WINDOWS\g67670390.dll"
2006-07-07 14:46:14 56832 ( A.... ) "C:\WINDOWS\g58011921.dll"
2006-07-07 14:21:52 56832 ( A.... ) "C:\WINDOWS\g56760312.dll"
2006-07-07 13:21:44 56832 ( A.... ) "C:\WINDOWS\g53149421.dll"
2006-07-07 12:59:38 56832 ( A.... ) "C:\WINDOWS\g51831500.dll"
2006-07-07 12:39:32 56832 ( A.... ) "C:\WINDOWS\g50618171.dll"
2006-07-07 11:33:16 56832 ( A.... ) "C:\WINDOWS\g46651406.dll"
2006-07-07 11:13:20 56832 ( A.... ) "C:\WINDOWS\g45450937.dll"
2006-07-07 10:53:24 56832 ( A.... ) "C:\WINDOWS\g44248359.dll"
2006-07-07 08:13:26 56832 ( A.... ) "C:\WINDOWS\g34636406.dll"
2006-07-07 07:51:52 56832 ( A.... ) "C:\WINDOWS\g33307468.dll"
2006-07-07 07:41:34 ( .D... ) "C:\Program Files\Network Associates"
2006-07-06 22:50:40 56832 ( A.... ) "C:\WINDOWS\g824500.dll"
2006-07-06 18:45:22 77312 ( A.... ) "C:\WINDOWS\system32\regperf.exe"
2006-07-06 18:38:12 18432 ( A.... ) "C:\WINDOWS\system32\winuqw32.dll"
2006-07-06 18:27:50 ( .D... ) "C:\Program Files\Finale Performance Assessment"
2006-07-02 19:27:18 ( .D... ) "C:\Documents and Settings\Owner\Application Data\LEAPS"
2006-07-02 19:25:08 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Pegasys Inc"
2006-07-02 19:13:34 ( .D... ) "C:\Program Files\MidiNotate"
2006-06-25 10:04:06 14848 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-06-25 10:01:46 ( .D... ) "C:\Program Files\Total Video Converter"
2006-06-24 23:17:14 286720 ( A.... ) "C:\WINDOWS\iun507.exe"
2006-06-23 15:09:32 ( .D... ) "C:\Program Files\HTTPAnalyzerFull"
2006-06-23 10:06:48 ( .D... ) "C:\Program Files\TimeWarp"
2006-06-22 21:40:16 10599 ( A.... ) "C:\delfiles.bat"
2006-06-21 19:55:20 ( .D... ) "C:\Program Files\FileMonk"
2006-06-19 20:35:12 ( .D... ) "C:\Program Files\iPod"
2006-06-19 20:35:10 ( .D... ) "C:\Program Files\iTunes"
2006-06-19 19:51:44 ( .D... ) "C:\Program Files\Skype"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-15 15:08:26 81504 ( A.... ) "C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT"
2006-06-09 22:54:40 ( .D... ) "C:\Program Files\M-Audio Uno"
2006-06-08 21:18:38 ( .D... ) "C:\Program Files\PowerISO"
2006-06-01 16:16:04 ( .D... ) "C:\Program Files\Pivo"
2006-06-01 12:55:42 155648 ( A.... ) "C:\Program Files\Common Files\Y1123OA.exe"
2006-05-30 17:39:36 ( .D... ) "C:\Program Files\Alfred Interactive"
2006-05-29 12:09:48 ( .D... ) "C:\Program Files\PPROF30"
2006-05-19 16:01:36 ( .D... ) "C:\Documents and Settings\Owner\Application Data\pdf995"
2006-05-18 08:43:42 41 ( A.... ) "C:\WINDOWS\system32\baddddacb3_s.dll"
2006-05-14 16:58:02 ( .D... ) "C:\Program Files\Transcribe!"
2006-05-13 23:02:12 ( .D... ) "C:\Program Files\Finale 2006"
2006-05-05 12:37:22 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-05-05 12:35:50 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-04-22 13:01:32 604 ( A..H. ) "C:\Program Files\STLL Notifier"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-09 10:08 4,096 C:\WINDOWS\system32\reboot.exe
2006-07-09 10:08 16,384 C:\WINDOWS\system32\restart.exe
2006-07-09 10:07 10,599 C:\delfiles.bat
2006-07-08 22:43 1,572,864,000 C:\pagefile.sys
2006-07-08 19:57 56,832 C:\WINDOWS\g1075625.dll
2006-07-08 12:50 56,832 C:\WINDOWS\g10630859.dll
2006-07-08 12:30 56,832 C:\WINDOWS\g9427625.dll
2006-07-08 11:30 56,832 C:\WINDOWS\g5813593.dll
2006-07-08 11:12 56,832 C:\WINDOWS\g4608468.dll
2006-07-08 10:50 56,832 C:\WINDOWS\g3406609.dll
2006-07-08 09:49 56,832 C:\WINDOWS\g126785484.dll
2006-07-08 09:27 56,832 C:\WINDOWS\g125459640.dll
2006-07-08 09:04 56,832 C:\WINDOWS\g124136656.dll
2006-07-08 08:00 56,832 C:\WINDOWS\g120293140.dll
2006-07-08 07:40 56,832 C:\WINDOWS\g118983562.dll
2006-07-08 07:17 56,832 C:\WINDOWS\g117648656.dll
2006-07-08 06:10 56,832 C:\WINDOWS\g113686500.dll
2006-07-08 05:49 56,832 C:\WINDOWS\g112364546.dll
2006-07-08 05:27 56,832 C:\WINDOWS\g111041500.dll
2006-07-08 04:20 56,832 C:\WINDOWS\g107079031.dll
2006-07-08 04:00 56,832 C:\WINDOWS\g105876156.dll
2006-07-08 03:39 56,832 C:\WINDOWS\g104554312.dll
2006-07-08 02:32 56,832 C:\WINDOWS\g100591625.dll
2006-07-08 02:13 56,832 C:\WINDOWS\g99389703.dll
2006-07-08 01:52 56,832 C:\WINDOWS\g98187296.dll
2006-07-08 00:48 56,832 C:\WINDOWS\g94341656.dll
2006-07-08 00:26 56,832 C:\WINDOWS\g93026312.dll
2006-07-08 00:07 56,832 C:\WINDOWS\g91816312.dll
2006-07-07 23:01 56,832 C:\WINDOWS\g87853937.dll
2006-07-07 22:39 56,832 C:\WINDOWS\g86530343.dll
2006-07-07 22:16 56,832 C:\WINDOWS\g85207093.dll
2006-07-07 20:05 569,396 C:\WINDOWS\system32\ssqrs.dll.vir
2006-07-07 18:08 56,832 C:\WINDOWS\g70191953.dll
2006-07-07 17:43 56,832 C:\WINDOWS\g68867328.dll
2006-07-07 17:23 56,832 C:\WINDOWS\g67670390.dll
2006-07-07 14:46 56,832 C:\WINDOWS\g58011921.dll
2006-07-07 14:21 56,832 C:\WINDOWS\g56760312.dll
2006-07-07 13:21 56,832 C:\WINDOWS\g53149421.dll
2006-07-07 12:59 56,832 C:\WINDOWS\g51831500.dll
2006-07-07 12:39 56,832 C:\WINDOWS\g50618171.dll
2006-07-07 11:33 56,832 C:\WINDOWS\g46651406.dll
2006-07-07 11:13 56,832 C:\WINDOWS\g45450937.dll
2006-07-07 10:53 56,832 C:\WINDOWS\g44248359.dll
2006-07-07 08:13 56,832 C:\WINDOWS\g34636406.dll
2006-07-07 07:51 56,832 C:\WINDOWS\g33307468.dll
2006-07-06 22:50 56,832 C:\WINDOWS\g824500.dll
2006-07-06 18:45 77,312 C:\WINDOWS\system32\regperf.exe
2006-07-06 18:38 18,432 C:\WINDOWS\system32\winuqw32.dll
2006-07-02 19:26 151,552 C:\WINDOWS\system32\pxwma.dll
2006-06-11 19:02 85,504 C:\WINDOWS\system32\MAUNOUSN.DLL
2006-06-11 19:02 82,944 C:\WINDOWS\system32\USBMN1X1.DLL
2006-06-11 19:02 17,920 C:\WINDOWS\system32\USBMM1X1.DLL
2006-06-11 19:02 17,920 C:\WINDOWS\system32\MAUNOUSB.DLL
2006-05-30 17:41 286,720 C:\WINDOWS\iun507.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTSysVol"="C:\\Program Files\\Creative\\Sound Blaster\\Surround Mixer\\CTSysVol.exe /r"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"D:\\porgramfiles2\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
@=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedUpMyPC.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpeedUpMyPC.lnk"
"backup"="C:\\WINDOWS\\pss\\SpeedUpMyPC.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LIUTIL~1\\SPEEDU~1\\SPEEDU~1.EXE traybar"
"item"="SpeedUpMyPC"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dialog Helper.lnk]
"backup"="C:\\WINDOWS\\pss\\Dialog Helper.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\VCOM\\POWERD~1\\pddlghlp.exe /s"
"item"="Dialog Helper"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HDDlife.lnk]
"backup"="C:\\WINDOWS\\pss\\HDDlife.lnkStartup"
"location"="Startup"
"item"="HDDlife"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Juice.lnk]
"backup"="C:\\WINDOWS\\pss\\Juice.lnkStartup"
"location"="Startup"
"item"="Juice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^GoBack.lnk]
"location"="Common Startup"
"item"="GoBack"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKLM"
"command"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-Watch"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~2\\Ad-Watch.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTSysVol"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\Sound Blaster\\Surround Mixer\\CTSysVol.exe /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\DELLSU~1\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Festoon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Festoon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fdm"
"hkey"="HKCU"
"command"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cledx"
"hkey"="HKLM"
"command"="C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb09"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorCombo]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ComboButton"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\Dantz\\RETROS~1\\ComboButton.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCShowBuzz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCShowBuzz"
"hkey"="HKLM"
"command"="C:\\Program Files\\inKline Global\\PCShowBuzz\\PCShowBuzz.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"D:\\porgramfiles2\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunasDTServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sunasDTServ"
"hkey"="HKLM"
"command"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasDTServ.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sunasServ"
"hkey"="HKLM"
"command"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="THGuard"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TotRecSched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="C:\\Program Files\\Unlocker\\UnlockerAssistant.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vptray"
"hkey"="HKLM"
"inimapping"="0"
"command"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vSkype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vSkype"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"inimapping"="0"
"command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=dword:00000003
"TUWinStylerThemeSvc"=dword:00000003
"Speed Disk service"=dword:00000002
"SmcService"=dword:00000002
"Pml Driver HPZ12"=dword:00000003
"PGMsgProt"=dword:00000002
"PestPatrol Remote"=dword:00000002
"NProtectService"=dword:00000002
"MskService"=dword:00000002
"MCVSRte"=dword:00000002
"mcupdmgr.exe"=dword:00000003
"McShield"=dword:00000003
"Iomega App Services"=dword:00000002
"Creative Service for CDROM Access"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~2\\Ad-Watch.exe\""
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\McAfee.com Update Check (NENAS-Owner).job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

Completion time: Sun 07/09/2006 10:53:40.46
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 10:56:49 AM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NOD32 FiX.lnk = C:\WINDOWS\system32\regedt32.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: M-Audio Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe

#12 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 09 July 2006 - 10:33 AM

david,

I am running nod 32 (that is updated) and it recognized the same worm!
so, I am still infected!
any ideas?
tx

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:33 PM

Posted 09 July 2006 - 02:36 PM

I am unable to d/l http://users.telenet.be/marcvn/tools/win32delfkil.exe
it says that I need to d/l not to the desktop....
I will try to use another comp and save it to the a drive...

Hey there,
I don't see this at all. I understand that the installation instructions are in Dutch, but simply click on "installeren" and leave the default install directory and it should install fine.
Let me know what the complication is, we really need to get that tool to run.
David

#14 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 09 July 2006 - 04:54 PM

maybe you missed a couple of emails that I sent you....
I was able to run all....now, I am rerunning nod32... and now this soft finds this trojan...I am removing it...
what I will do is to finish nod32 and hjk you again...

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:33 PM

Posted 09 July 2006 - 06:06 PM

Ok, didn't recieve any emails at all...
I'll check for a reply later.
Post an updated combofix log also.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users