Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By A Win32.trogan


  • This topic is locked This topic is locked
22 replies to this topic

#1 rwalker00

rwalker00

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 02:34 PM

Here is my log, Someone please tell me what to do to get this virus off my computer. I let some friends use my computer and came back to this. I notice in my taskbar there is a red circle with a "X" in it saying "your computer is infected" when I move my mouse over it. And now my computer continuously lets out a low beep every 15 seconds. I ran Lavasoft Ad-Adware, Panda Scan, and a Malicious Scan from Microsoft. Still nothing. My computer is very slow now.



Logfile of HijackThis v1.99.1
Scan saved at 2:23:21 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\windows\system32\upnp.exe
C:\WINDOWS\system32\conlnuvl.exe
C:\WINDOWS\system32\cstatvmq.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Windows\xpupdate.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\hssmkrsc.exe
C:\WINDOWS\system32\amtlldm.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\DOCUME~1\RELAWA~1\LOCALS~1\Temp\spoolsvv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\system32\winnet.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [upp] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [Mucmlls] conlnuvl.exe
O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [dnhlpss] C:\WINDOWS\system32\hssmkrsc.exe
O4 - HKCU\..\Run: [rmskbsl] C:\WINDOWS\system32\amtlldm.exe
O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3301A119-C6FE-4FD8-ADC9-6148B45F0A22}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3C5B2C-23C5-4725-8943-A79A2A22B3DA}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE70919B-B981-43C2-AA95-D2BCFF4E473E}: NameServer = 66.35.255.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\vrqdp.dll
O21 - SSODL: VBewGyJeg - {44A4B783-EE0E-1D29-7A4F-8F766BE85E93} - C:\WINDOWS\system32\nf.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\system32\taskmang.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 04 February 2007 - 02:59 PM

Welcome to Bleeping Computer rwalker00 :thumbsup:

Download SDFix and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, a menu with options should appear;
· Select the first option, to run Windows in Safe Mode, then press "Enter".
· Choose your usual account.
· In Safe Mode, right click the SDFix.zip folder and choose Extract All,
· Open the extracted folder and double click RunThis.bat to start the script.
· Type Y to begin the script.
· It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· Your system will take longer that normal to restart as the fixtool will be running and removing files.
· When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
· Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with a new HijackThis log into your next reply.
Posted Image
Posted Image

#3 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 03:38 PM

Here is the SDFix Post:


SDFix: Version 1.63

Sun 02/04/2007 - 15:13:47.46

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}\_SHCT_Sprint.exe.exe - Deleted
C:\WINDOWS\SYSTEM32\game0.exe.exe - Deleted
C:\WINDOWS\SYSTEM32\game5p.exe.exe - Deleted
C:\DOCUME~1\RELAWA~1\LOCALS~1\Temp\GLF1A6.tmp.exe - Deleted
C:\DOCUME~1\RELAWA~1\LOCALS~1\Temp\GLFE2.tmp.exe - Deleted
C:\DOCUME~1\RELAWA~1\LOCALS~1\Temp\temp_5351375.bat - Deleted
C:\DOCUME~1\RELAWA~1\LOCALS~1\Temp\temp_5569953.bat - Deleted
C:\WINDOWS\comdlj32.dll - Deleted
C:\WINDOWS\system32\dlh9jkd1q1.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\game1.exe - Deleted
C:\WINDOWS\system32\game2.exe - Deleted
C:\WINDOWS\system32\game3.exe - Deleted
C:\WINDOWS\system32\game4.exe - Deleted
C:\WINDOWS\system32\kernels88.exe - Deleted
C:\WINDOWS\system32\spoolsvv.exe - Deleted
C:\WINDOWS\system32\TFTP7056 - Deleted
C:\WINDOWS\system32\upnp.exe - Deleted
C:\WINDOWS\system32\vxga1me4t1.exe - Deleted
C:\WINDOWS\system32\vxga3me2.exe - Deleted
C:\WINDOWS\system32\vxga4me1.exe - Deleted
C:\WINDOWS\system32\vxga8me6.exe - Deleted
C:\WINDOWS\system32\vxg3am1et3.exe - Deleted
C:\WINDOWS\system32\vxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vxg6ame4.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted
C:\WINDOWS\xpupdate.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Rootkit PE386 maybe active, Use a Rootkit scanner!


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\Rela Walker\NetHood\Applications on www.govjobs.com\Desktop.ini
C:\WINDOWS\SYSTEM32\MSWWINEDRVM7.DLL
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Nero\data\Nero PhotoShow Express.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229\A0219495.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229\A0219497.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1230\A0219538.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219565.exe
C:\WINDOWS\SYSTEM32\amtlldm.exe
C:\WINDOWS\SYSTEM32\conlnuvl.exe
C:\WINDOWS\SYSTEM32\cstatvmq.exe
C:\WINDOWS\SYSTEM32\hssmkrsc.exe
C:\hiberfil.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem48.inf
C:\WINDOWS\LastGood.Tmp\INF\oem48.PNF
C:\WINDOWS\Temp\3abg3n01.TMP
C:\WINDOWS\Temp\n8w0ttpt.TMP

Finished


-----------------------------Here is the HiJackThis Log----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:36:52 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\conlnuvl.exe
C:\WINDOWS\system32\cstatvmq.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\hssmkrsc.exe
C:\WINDOWS\system32\amtlldm.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\system32\winnet.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [upp] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [Mucmlls] conlnuvl.exe
O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [dnhlpss] C:\WINDOWS\system32\hssmkrsc.exe
O4 - HKCU\..\Run: [rmskbsl] C:\WINDOWS\system32\amtlldm.exe
O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3301A119-C6FE-4FD8-ADC9-6148B45F0A22}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3C5B2C-23C5-4725-8943-A79A2A22B3DA}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE70919B-B981-43C2-AA95-D2BCFF4E473E}: NameServer = 66.35.255.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\vrqdp.dll
O21 - SSODL: VBewGyJeg - {44A4B783-EE0E-1D29-7A4F-8F766BE85E93} - C:\WINDOWS\system32\nf.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\system32\taskmang.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 04 February 2007 - 03:54 PM

Please download ATF Cleaner by Atribune:
This program is for XP and Windows 2000 only.
Double-click ATF-Cleaner.exe to run the program.
Under 'Main' choose: 'Select All'.
Click the 'Empty Selected' button.

If you're using Mozilla Firefox,or Opera browser.
Click the 'Firefox'/’Opera’ tab at the top.
Place a check in 'Select All'.
Press 'Empty Selected'.

NOTE:
If you would like to keep your saved passwords,click No at the prompt.
Click Exit on the Main menu to close the program when you've finished.

=====================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

=====================

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Reboot,post the DrWeb.cvs report,the Combofix.txt,and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#5 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 05:51 PM

ntio256.sys;c:\windows\system32;Trojan.Sklog;Deleted.;
winsys2f.dll~;C:\Documents and Settings\All Users\Documents\Settings;BackDoor.Uragan;Deleted.;
maindll.dll;C:\Documents and Settings\Rela Walker\Local Settings\Temp;BackDoor.Rekz;Deleted.;
maxdd1.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Dialer.Maxd;Deleted.;
optimize.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Dyfuca;Deleted.;
qv3xt3.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
qvxt34.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
qvxt42.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
rsysinit.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Reboot;Deleted.;
spoolsvv.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.10;Deleted.;
temp.fr5F71;C:\Documents and Settings\Rela Walker\Local Settings\Temp;BackDoor.Uragan;Deleted.;
temp.fr8033;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
temp.fr804E;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.6332;Deleted.;
v3x1.g22me;C:\Documents and Settings\Rela Walker\Local Settings\Temp;BackDoor.Uragan;Deleted.;
v4x3.ga2me;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.MulDrop.5502;Deleted.;
v4x6.gam5e;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
v5x2.g3ame;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
v5x4.ga2me;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.14813;Deleted.;
v6xt4.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
vx1t1.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
vx1t3.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
vx3t2.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
wuauclt.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.18295;Deleted.;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Trojan.DownLoader.2174;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0219448.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1228;Trojan.Packed.9;Deleted.;
A0219449.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1228;Trojan.DownLoader.6332;Deleted.;
A0219457.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1228;Trojan.Packed.9;Deleted.;
A0219496.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.DownLoader.15909;Deleted.;
A0219502.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.DownLoader.15909;Deleted.;
A0219503.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.DownLoader.15909;Deleted.;
A0219529.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.Spambot;Deleted.;
A0219537.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1230;Trojan.Spambot;Deleted.;
A0219564.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219579.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219580.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219686.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219687.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219688.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219689.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.15909;Deleted.;
A0219690.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219691.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219697.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219698.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219700.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219701.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219702.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;BackDoor.Uragan;Deleted.;
A0219703.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.15909;Deleted.;
A0219704.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.15909;Deleted.;
A0219705.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219706.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.14813;Deleted.;
A0219708.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;BackDoor.Groan;Deleted.;
A0219710.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219741.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Sklog;Deleted.;
a1.exe;C:\WINDOWS;Trojan.Sklog;Deleted.;
ysbactivex.dll;C:\WINDOWS\Downloaded Program Files;Trojan.Isbar.386;Incurable.Moved.;
actskn45.ocx;C:\WINDOWS\SYSTEM32;Trojan.Isbar.439;Deleted.;
BO2802040113.dll;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.1997;Deleted.;
GTDownDE_87.ocx;C:\WINDOWS\SYSTEM32;Adware.Gdown;Incurable.Moved.;
protector.exe;C:\WINDOWS\SYSTEM32;Trojan.Sklog;Deleted.;
qvx5gamet2.exe;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.15909;Deleted.;
qvxga6met3.exe;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.15909;Deleted.;
qvxga7met4.exe;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.15909;Deleted.;

#6 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 06:05 PM

"Rela Walker" - 07-02-04 17:54:02 Service Pack 2
ComboFix 07.02.04 - Running from: "C:\Documents and Settings\Rela Walker\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\taskmang.exe
C:\WINDOWS\system32\msiphelp.dll
C:\DOCUME~1\RELAWA~1\Application Data\Install.dat
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\BraveSentry


((((((((((((((((((((((((((((((( Files Created from 2007-01-04 to 2007-02-04 ))))))))))))))))))))))))))))))))))


2007-02-04 16:17 <DIR> d-------- C:\DOCUME~1\RELAWA~1\DoctorWeb
2007-02-04 15:12 <DIR> d-------- C:\SDFix
2007-02-04 14:21 <DIR> d-------- C:\Program Files\HijackThis
2007-02-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-02-04 14:11 <DIR> d-------- C:\DOCUME~1\RELAWA~1\.housecall6.6
2007-02-04 13:27 77,466 --a------ C:\WINDOWS\bgtrneiknkjnew.exe
2007-02-04 13:24 7,763 --a------ C:\WINDOWS\SYSTEM32\windll.dll
2007-02-04 03:30 6,837 --a------ C:\WINDOWS\SYSTEM32\pstore.dll
2007-02-04 02:23 18,570 --a------ C:\WINDOWS\nsicknjnfew.exe
2007-02-04 02:23 18,570 --a------ C:\WINDOWS\njfekmfde.exe
2007-02-04 02:07 8,450 --a------ C:\WINDOWS\SYSTEM32\winnet.dll
2007-02-04 02:07 4,373 --a------ C:\WINDOWS\SYSTEM32\ws_imod.dll
2007-02-04 02:07 2,245 --a------ C:\WINDOWS\SYSTEM32\mcert.dll
2007-02-04 02:07 18,570 --a------ C:\WINDOWS\SYSTEM32\abc.exe
2007-02-04 02:06 5,976 --a------ C:\WINDOWS\SYSTEM32\mt_32.dll
2007-02-04 02:06 169,984 --a------ C:\WINDOWS\SYSTEM32\vrqdp.dll
2007-02-04 01:51 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-02-04 01:51 <DIR> d-------- C:\Program Files\Show.kit 2.1
2007-02-04 00:02 <DIR> d-------- C:\Program Files\show.kit
2007-01-30 16:19 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
2007-01-25 19:47 <DIR> d-------- C:\DOCUME~1\RELAWA~1\Application Data\Nvu
2007-01-16 19:00 <DIR> d-------- C:\Program Files\IrfanView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-02-04 16:08 -------- d-------- C:\Program Files\dl_cats
2007-02-04 02:33 -------- d-------- C:\Program Files\limewire
2007-02-04 02:07 -------- d---s---- C:\DOCUME~1\RELAWA~1\Application Data\microsoft
2007-02-04 00:05 7002 --a------ C:\DOCUME~1\RELAWA~1\Application Data\wklnhst.dat
2007-02-01 17:45 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\adobeum
2007-01-30 18:24 -------- d-------- C:\Program Files\ares
2007-01-25 19:47 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\mozilla
2007-01-16 19:48 -------- d-------- C:\Program Files\microsoft picture it! 9
2006-12-30 14:46 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\snapfish
2006-12-27 21:18 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\sony corporation
2006-12-27 20:06 -------- d--h----- C:\Program Files\installshield installation information
2006-12-27 20:05 -------- d-------- C:\Program Files\sony
2006-12-25 00:06 133632 --a------ C:\WINDOWS\SYSTEM32\spoonuninstall.exe
2006-12-20 18:25 -------- d-------- C:\Program Files\nero
2006-12-20 18:25 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\simple star
2006-12-20 18:25 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\ahead
2006-12-20 18:24 -------- d-------- C:\Program Files\ahead
2006-12-20 18:22 -------- d-------- C:\Program Files\Common Files\nero
2006-12-20 18:21 -------- d-------- C:\Program Files\Common Files\ahead
2006-12-17 22:57 -------- d-------- C:\Program Files\quicktime
2006-12-15 17:01 -------- d-------- C:\Program Files\dell
2006-12-15 13:57 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\yahoo!
2006-12-14 00:21 -------- d-------- C:\Program Files\windows media connect 2
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-10 18:21 70952 --a------ C:\DOCUME~1\RELAWA~1\Application Data\gdipfontcachev1.dat
2006-11-08 00:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"WebCamRT.exe"=""
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"
"dnhlpss"="C:\\WINDOWS\\system32\\hssmkrsc.exe"
"rmskbsl"="C:\\WINDOWS\\system32\\amtlldm.exe"
"nvcdllx"="C:\\WINDOWS\\system32\\cstatvmq.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"BCMSMMSG"="BCMSMMSG.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"LogitechImageStudioTray"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"dlbxmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 962\\dlbxmon.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DLBXCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLBXtime.dll,_RunDLLEntry@16"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"upp"="c:\\windows\\system32\\upnp.exe"
"Mucmlls"="conlnuvl.exe"
"nvcdllx"="C:\\WINDOWS\\system32\\cstatvmq.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ErrorHunter"
"hkey"="HKCU"
"command"="C:\\Program Files\\Error Hunter\\ErrorHunter.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"="DCOM Server 60787"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"DCOM Server 60787"="{2C1CD3D7-86AC-4068-93BC-A02304B60787}"
"VBewGyJeg"="{44A4B783-EE0E-1D29-7A4F-8F766BE85E93}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk

HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt

HKLM\SYSTEM\CurrentControlSet\Services\PfModNTc

HKLM\SYSTEM\CurrentControlSet\Services\Processorort

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage

HKLM\SYSTEM\CurrentControlSet\Services\ql1080er

HKLM\SYSTEM\CurrentControlSet\Services\ql12400

HKLM\SYSTEM\CurrentControlSet\Services\RasManp

HKLM\SYSTEM\CurrentControlSet\Services\Rasptioe

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssi

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDD

HKLM\SYSTEM\CurrentControlSet\Services\redbookgr

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorss

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscator

HKLM\SYSTEM\CurrentControlSet\Services\RSVPs

HKLM\SYSTEM\CurrentControlSet\Services\Secdrvrt

HKLM\SYSTEM\CurrentControlSet\Services\SENSogon

HKLM\SYSTEM\CurrentControlSet\Services\Serialm

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetection

HKLM\SYSTEM\CurrentControlSet\Services\sky_mdml

HKLM\SYSTEM\CurrentControlSet\Services\SLIPserd

HKLM\SYSTEM\CurrentControlSet\Services\Sparrow1

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerr

HKLM\SYSTEM\CurrentControlSet\Services\srooler

HKLM\SYSTEM\CurrentControlSet\Services\Srvervice

HKLM\SYSTEM\CurrentControlSet\Services\stisvcV

HKLM\SYSTEM\CurrentControlSet\Services\swenumip

HKLM\SYSTEM\CurrentControlSet\Services\SwPrvi

HKLM\SYSTEM\CurrentControlSet\Services\swwdv

HKLM\SYSTEM\CurrentControlSet\Services\sym_hix

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvog

HKLM\SYSTEM\CurrentControlSet\Services\Tcpipng

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPE

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvice

HKLM\SYSTEM\CurrentControlSet\Services\TosIder

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDs

HKLM\SYSTEM\CurrentControlSet\Services\UdfsD

HKLM\SYSTEM\CurrentControlSet\Services\UPSphost

HKLM\SYSTEM\CurrentControlSet\Services\usbhubi

HKLM\SYSTEM\CurrentControlSet\Services\usbscant

HKLM\SYSTEM\CurrentControlSet\Services\usbsern

HKLM\SYSTEM\CurrentControlSet\Services\viaagpe

HKLM\SYSTEM\CurrentControlSet\Services\VSSSnap

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCme

HKLM\SYSTEM\CurrentControlSet\Services\WDICAbsh

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtnt

HKLM\SYSTEM\CurrentControlSet\Services\Winsock - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2- Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2 - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinTrust - Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNP Service

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSN

HKLM\SYSTEM\CurrentControlSet\Services\WpdUsbrv

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcL

HKLM\SYSTEM\CurrentControlSet\Services\WudfPfrv

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCc

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 56
hidden files: 0

********************************************************************

Completion time: 07-02-04 17:58:31

#7 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 06:11 PM

ALL IN ONE POST....

HIJACKTHIS POST:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:36 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\conlnuvl.exe
C:\WINDOWS\system32\cstatvmq.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\hssmkrsc.exe
C:\WINDOWS\system32\amtlldm.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\system32\winnet.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [upp] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [Mucmlls] conlnuvl.exe
O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [dnhlpss] C:\WINDOWS\system32\hssmkrsc.exe
O4 - HKCU\..\Run: [rmskbsl] C:\WINDOWS\system32\amtlldm.exe
O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3301A119-C6FE-4FD8-ADC9-6148B45F0A22}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3C5B2C-23C5-4725-8943-A79A2A22B3DA}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE70919B-B981-43C2-AA95-D2BCFF4E473E}: NameServer = 66.35.255.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\vrqdp.dll
O21 - SSODL: VBewGyJeg - {44A4B783-EE0E-1D29-7A4F-8F766BE85E93} - C:\WINDOWS\system32\nf.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\system32\taskmang.exe (file missing)

COMBOFIX POST:


"Rela Walker" - 07-02-04 17:54:02 Service Pack 2
ComboFix 07.02.04 - Running from: "C:\Documents and Settings\Rela Walker\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\taskmang.exe
C:\WINDOWS\system32\msiphelp.dll
C:\DOCUME~1\RELAWA~1\Application Data\Install.dat
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\BraveSentry


((((((((((((((((((((((((((((((( Files Created from 2007-01-04 to 2007-02-04 ))))))))))))))))))))))))))))))))))


2007-02-04 16:17 <DIR> d-------- C:\DOCUME~1\RELAWA~1\DoctorWeb
2007-02-04 15:12 <DIR> d-------- C:\SDFix
2007-02-04 14:21 <DIR> d-------- C:\Program Files\HijackThis
2007-02-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-02-04 14:11 <DIR> d-------- C:\DOCUME~1\RELAWA~1\.housecall6.6
2007-02-04 13:27 77,466 --a------ C:\WINDOWS\bgtrneiknkjnew.exe
2007-02-04 13:24 7,763 --a------ C:\WINDOWS\SYSTEM32\windll.dll
2007-02-04 03:30 6,837 --a------ C:\WINDOWS\SYSTEM32\pstore.dll
2007-02-04 02:23 18,570 --a------ C:\WINDOWS\nsicknjnfew.exe
2007-02-04 02:23 18,570 --a------ C:\WINDOWS\njfekmfde.exe
2007-02-04 02:07 8,450 --a------ C:\WINDOWS\SYSTEM32\winnet.dll
2007-02-04 02:07 4,373 --a------ C:\WINDOWS\SYSTEM32\ws_imod.dll
2007-02-04 02:07 2,245 --a------ C:\WINDOWS\SYSTEM32\mcert.dll
2007-02-04 02:07 18,570 --a------ C:\WINDOWS\SYSTEM32\abc.exe
2007-02-04 02:06 5,976 --a------ C:\WINDOWS\SYSTEM32\mt_32.dll
2007-02-04 02:06 169,984 --a------ C:\WINDOWS\SYSTEM32\vrqdp.dll
2007-02-04 01:51 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-02-04 01:51 <DIR> d-------- C:\Program Files\Show.kit 2.1
2007-02-04 00:02 <DIR> d-------- C:\Program Files\show.kit
2007-01-30 16:19 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
2007-01-25 19:47 <DIR> d-------- C:\DOCUME~1\RELAWA~1\Application Data\Nvu
2007-01-16 19:00 <DIR> d-------- C:\Program Files\IrfanView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-02-04 16:08 -------- d-------- C:\Program Files\dl_cats
2007-02-04 02:33 -------- d-------- C:\Program Files\limewire
2007-02-04 02:07 -------- d---s---- C:\DOCUME~1\RELAWA~1\Application Data\microsoft
2007-02-04 00:05 7002 --a------ C:\DOCUME~1\RELAWA~1\Application Data\wklnhst.dat
2007-02-01 17:45 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\adobeum
2007-01-30 18:24 -------- d-------- C:\Program Files\ares
2007-01-25 19:47 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\mozilla
2007-01-16 19:48 -------- d-------- C:\Program Files\microsoft picture it! 9
2006-12-30 14:46 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\snapfish
2006-12-27 21:18 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\sony corporation
2006-12-27 20:06 -------- d--h----- C:\Program Files\installshield installation information
2006-12-27 20:05 -------- d-------- C:\Program Files\sony
2006-12-25 00:06 133632 --a------ C:\WINDOWS\SYSTEM32\spoonuninstall.exe
2006-12-20 18:25 -------- d-------- C:\Program Files\nero
2006-12-20 18:25 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\simple star
2006-12-20 18:25 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\ahead
2006-12-20 18:24 -------- d-------- C:\Program Files\ahead
2006-12-20 18:22 -------- d-------- C:\Program Files\Common Files\nero
2006-12-20 18:21 -------- d-------- C:\Program Files\Common Files\ahead
2006-12-17 22:57 -------- d-------- C:\Program Files\quicktime
2006-12-15 17:01 -------- d-------- C:\Program Files\dell
2006-12-15 13:57 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\yahoo!
2006-12-14 00:21 -------- d-------- C:\Program Files\windows media connect 2
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-10 18:21 70952 --a------ C:\DOCUME~1\RELAWA~1\Application Data\gdipfontcachev1.dat
2006-11-08 00:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"WebCamRT.exe"=""
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"
"dnhlpss"="C:\\WINDOWS\\system32\\hssmkrsc.exe"
"rmskbsl"="C:\\WINDOWS\\system32\\amtlldm.exe"
"nvcdllx"="C:\\WINDOWS\\system32\\cstatvmq.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"BCMSMMSG"="BCMSMMSG.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"LogitechImageStudioTray"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"dlbxmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 962\\dlbxmon.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DLBXCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLBXtime.dll,_RunDLLEntry@16"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"upp"="c:\\windows\\system32\\upnp.exe"
"Mucmlls"="conlnuvl.exe"
"nvcdllx"="C:\\WINDOWS\\system32\\cstatvmq.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ErrorHunter"
"hkey"="HKCU"
"command"="C:\\Program Files\\Error Hunter\\ErrorHunter.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"="DCOM Server 60787"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"DCOM Server 60787"="{2C1CD3D7-86AC-4068-93BC-A02304B60787}"
"VBewGyJeg"="{44A4B783-EE0E-1D29-7A4F-8F766BE85E93}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk

HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt

HKLM\SYSTEM\CurrentControlSet\Services\PfModNTc

HKLM\SYSTEM\CurrentControlSet\Services\Processorort

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage

HKLM\SYSTEM\CurrentControlSet\Services\ql1080er

HKLM\SYSTEM\CurrentControlSet\Services\ql12400

HKLM\SYSTEM\CurrentControlSet\Services\RasManp

HKLM\SYSTEM\CurrentControlSet\Services\Rasptioe

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssi

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDD

HKLM\SYSTEM\CurrentControlSet\Services\redbookgr

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorss

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscator

HKLM\SYSTEM\CurrentControlSet\Services\RSVPs

HKLM\SYSTEM\CurrentControlSet\Services\Secdrvrt

HKLM\SYSTEM\CurrentControlSet\Services\SENSogon

HKLM\SYSTEM\CurrentControlSet\Services\Serialm

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetection

HKLM\SYSTEM\CurrentControlSet\Services\sky_mdml

HKLM\SYSTEM\CurrentControlSet\Services\SLIPserd

HKLM\SYSTEM\CurrentControlSet\Services\Sparrow1

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerr

HKLM\SYSTEM\CurrentControlSet\Services\srooler

HKLM\SYSTEM\CurrentControlSet\Services\Srvervice

HKLM\SYSTEM\CurrentControlSet\Services\stisvcV

HKLM\SYSTEM\CurrentControlSet\Services\swenumip

HKLM\SYSTEM\CurrentControlSet\Services\SwPrvi

HKLM\SYSTEM\CurrentControlSet\Services\swwdv

HKLM\SYSTEM\CurrentControlSet\Services\sym_hix

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvog

HKLM\SYSTEM\CurrentControlSet\Services\Tcpipng

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPE

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvice

HKLM\SYSTEM\CurrentControlSet\Services\TosIder

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDs

HKLM\SYSTEM\CurrentControlSet\Services\UdfsD

HKLM\SYSTEM\CurrentControlSet\Services\UPSphost

HKLM\SYSTEM\CurrentControlSet\Services\usbhubi

HKLM\SYSTEM\CurrentControlSet\Services\usbscant

HKLM\SYSTEM\CurrentControlSet\Services\usbsern

HKLM\SYSTEM\CurrentControlSet\Services\viaagpe

HKLM\SYSTEM\CurrentControlSet\Services\VSSSnap

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCme

HKLM\SYSTEM\CurrentControlSet\Services\WDICAbsh

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtnt

HKLM\SYSTEM\CurrentControlSet\Services\Winsock - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2- Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2 - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinTrust - Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNP Service

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSN

HKLM\SYSTEM\CurrentControlSet\Services\WpdUsbrv

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcL

HKLM\SYSTEM\CurrentControlSet\Services\WudfPfrv

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCc

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 56
hidden files: 0

********************************************************************

Completion time: 07-02-04 17:58:31

DRWEB-CURE IT POST:

ntio256.sys;c:\windows\system32;Trojan.Sklog;Deleted.;
winsys2f.dll~;C:\Documents and Settings\All Users\Documents\Settings;BackDoor.Uragan;Deleted.;
maindll.dll;C:\Documents and Settings\Rela Walker\Local Settings\Temp;BackDoor.Rekz;Deleted.;
maxdd1.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Dialer.Maxd;Deleted.;
optimize.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Dyfuca;Deleted.;
qv3xt3.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
qvxt34.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
qvxt42.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
rsysinit.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Reboot;Deleted.;
spoolsvv.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.10;Deleted.;
temp.fr5F71;C:\Documents and Settings\Rela Walker\Local Settings\Temp;BackDoor.Uragan;Deleted.;
temp.fr8033;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
temp.fr804E;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.6332;Deleted.;
v3x1.g22me;C:\Documents and Settings\Rela Walker\Local Settings\Temp;BackDoor.Uragan;Deleted.;
v4x3.ga2me;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.MulDrop.5502;Deleted.;
v4x6.gam5e;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
v5x2.g3ame;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
v5x4.ga2me;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.14813;Deleted.;
v6xt4.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
vx1t1.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
vx1t3.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.15909;Deleted.;
vx3t2.game;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.Packed.9;Deleted.;
wuauclt.exe;C:\Documents and Settings\Rela Walker\Local Settings\Temp;Trojan.DownLoader.18295;Deleted.;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Trojan.DownLoader.2174;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0219448.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1228;Trojan.Packed.9;Deleted.;
A0219449.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1228;Trojan.DownLoader.6332;Deleted.;
A0219457.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1228;Trojan.Packed.9;Deleted.;
A0219496.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.DownLoader.15909;Deleted.;
A0219502.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.DownLoader.15909;Deleted.;
A0219503.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.DownLoader.15909;Deleted.;
A0219529.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1229;Trojan.Spambot;Deleted.;
A0219537.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1230;Trojan.Spambot;Deleted.;
A0219564.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219579.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219580.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219686.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219687.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219688.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Spambot;Deleted.;
A0219689.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.15909;Deleted.;
A0219690.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219691.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219697.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219698.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219700.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219701.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219702.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;BackDoor.Uragan;Deleted.;
A0219703.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.15909;Deleted.;
A0219704.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.15909;Deleted.;
A0219705.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219706.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.DownLoader.14813;Deleted.;
A0219708.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;BackDoor.Groan;Deleted.;
A0219710.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Packed.9;Deleted.;
A0219741.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231;Trojan.Sklog;Deleted.;
a1.exe;C:\WINDOWS;Trojan.Sklog;Deleted.;
ysbactivex.dll;C:\WINDOWS\Downloaded Program Files;Trojan.Isbar.386;Incurable.Moved.;
actskn45.ocx;C:\WINDOWS\SYSTEM32;Trojan.Isbar.439;Deleted.;
BO2802040113.dll;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.1997;Deleted.;
GTDownDE_87.ocx;C:\WINDOWS\SYSTEM32;Adware.Gdown;Incurable.Moved.;
protector.exe;C:\WINDOWS\SYSTEM32;Trojan.Sklog;Deleted.;
qvx5gamet2.exe;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.15909;Deleted.;
qvxga6met3.exe;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.15909;Deleted.;
qvxga7met4.exe;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.15909;Deleted.;

#8 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 06:12 PM

QUESTION: SINCE I'VE DONE ALL THESE FIXES, MY COMPUTER IS CONTINOUSLY SHUTTING DOWN AFTER 2-3 MINUTES LOGGING ON TO MY SYSTEM. WHAT IS GOING ON?

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 04 February 2007 - 06:30 PM

Download rustbfix from Here and save it to your desktop.
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.
Posted Image
Posted Image

#10 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 06:46 PM

AVENGER POST:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sofmlufy

*******************

Script file located at: \??\C:\Program Files\jygiyxbx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.


PELOG POST:

************************* Rustock.b-fix -- By ejvindh *************************
Sun 02/04/2007 18:38:25.85

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 65568
Total size: 65568 bytes.
Attempting to remove ADS...
system32: deleted 65568 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

HIJACKTHIS POST:

Logfile of HijackThis v1.99.1
Scan saved at 6:44:33 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\conlnuvl.exe
C:\WINDOWS\system32\cstatvmq.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\hssmkrsc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\amtlldm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\system32\winnet.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [upp] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [Mucmlls] conlnuvl.exe
O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [dnhlpss] C:\WINDOWS\system32\hssmkrsc.exe
O4 - HKCU\..\Run: [rmskbsl] C:\WINDOWS\system32\amtlldm.exe
O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3301A119-C6FE-4FD8-ADC9-6148B45F0A22}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3C5B2C-23C5-4725-8943-A79A2A22B3DA}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE70919B-B981-43C2-AA95-D2BCFF4E473E}: NameServer = 66.35.255.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\vrqdp.dll
O21 - SSODL: VBewGyJeg - {44A4B783-EE0E-1D29-7A4F-8F766BE85E93} - C:\WINDOWS\system32\nf.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\system32\taskmang.exe (file missing)

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 04 February 2007 - 07:17 PM

First enable the viewing of Hidden files, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

===================

Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Reboot your computer into Safe Mode.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the smitfraudfix report into your next reply when you've done below please.

===================

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Windows Task Manager (Taskmng)
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

===================

Please download/install AVG Anti-Spyware 7.5.
Please follow these instructions carefully.
Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\system32\winnet.dll
O4 - HKLM\..\Run: [upp] c:\windows\system32\upnp.exe
O4 - HKLM\..\Run: [Mucmlls] conlnuvl.exe
O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O4 - HKCU\..\Run: [dnhlpss] C:\WINDOWS\system32\hssmkrsc.exe
O4 - HKCU\..\Run: [rmskbsl] C:\WINDOWS\system32\amtlldm.exe
O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\system32\cstatvmq.exe
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\vrqdp.dll
O21 - SSODL: VBewGyJeg - {44A4B783-EE0E-1D29-7A4F-8F766BE85E93} - C:\WINDOWS\system32\nf.dll (file missing)
O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\system32\taskmang.exe (file missing)

Exit Hijack This,find and delete if present:
C:\WINDOWS\system32\conlnuvl.exe
C:\WINDOWS\system32\cstatvmq.exe
C:\WINDOWS\system32\hssmkrsc.exe
C:\WINDOWS\system32\amtlldm.exe
C:\WINDOWS\system32\winnet.dll
c:\windows\system32\upnp.exe
C:\WINDOWS\system32\cstatvmq.exe
C:\WINDOWS\system32\vrqdp.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.


Please run Combofix again and post a new Combofix report.
Also post the Smitfraudfix report,the AVG Anti Spyware report,and a new Hijack This log into your next reply.

Edited by RichieUK, 04 February 2007 - 07:44 PM.

Posted Image
Posted Image

#12 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 04 February 2007 - 10:16 PM

SmitFraudFix v2.138

Scan done at 19:56:01.60, Sun 02/04/2007
Run from C:\Documents and Settings\Rela Walker\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"="DCOM Server 60787"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32]
@="C:\WINDOWS\system32\vrqdp.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32]
@="C:\WINDOWS\system32\vrqdp.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"="DCOM Server 60787"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32]
@="C:\WINDOWS\system32\vrqdp.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32]
@="C:\WINDOWS\system32\vrqdp.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End

"Rela Walker" - 07-02-04 22:08:25 Service Pack 2
ComboFix 07.02.04 - Running from: "C:\Documents and Settings\Rela Walker\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-04 to 2007-02-04 ))))))))))))))))))))))))))))))))))


2007-02-04 20:09 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-02-04 20:09 <DIR> d-------- C:\Program Files\Grisoft
2007-02-04 19:56 4,022 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-04 18:41 <DIR> d-------- C:\avenger
2007-02-04 18:38 <DIR> d-------- C:\Rustbfix
2007-02-04 16:17 <DIR> d-------- C:\DOCUME~1\RELAWA~1\DoctorWeb
2007-02-04 15:12 <DIR> d-------- C:\SDFix
2007-02-04 14:21 <DIR> d-------- C:\Program Files\HijackThis
2007-02-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-02-04 14:11 <DIR> d-------- C:\DOCUME~1\RELAWA~1\.housecall6.6
2007-02-04 13:27 77,466 --a------ C:\WINDOWS\bgtrneiknkjnew.exe
2007-02-04 13:24 7,763 --a------ C:\WINDOWS\SYSTEM32\windll.dll
2007-02-04 03:30 6,837 --a------ C:\WINDOWS\SYSTEM32\pstore.dll
2007-02-04 02:23 18,570 --a------ C:\WINDOWS\nsicknjnfew.exe
2007-02-04 02:23 18,570 --a------ C:\WINDOWS\njfekmfde.exe
2007-02-04 02:07 4,373 --a------ C:\WINDOWS\SYSTEM32\ws_imod.dll
2007-02-04 02:07 2,245 --a------ C:\WINDOWS\SYSTEM32\mcert.dll
2007-02-04 02:07 18,570 --a------ C:\WINDOWS\SYSTEM32\abc.exe
2007-02-04 02:06 5,976 --a------ C:\WINDOWS\SYSTEM32\mt_32.dll
2007-02-04 02:06 169,984 --a------ C:\WINDOWS\SYSTEM32\vrqdp.dll
2007-02-04 01:51 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-02-04 01:51 <DIR> d-------- C:\Program Files\Show.kit 2.1
2007-02-04 00:02 <DIR> d-------- C:\Program Files\show.kit
2007-01-30 16:19 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
2007-01-25 19:47 <DIR> d-------- C:\DOCUME~1\RELAWA~1\Application Data\Nvu
2007-01-16 19:00 <DIR> d-------- C:\Program Files\IrfanView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-04 19:48 -------- d-------- C:\Program Files\dl_cats
2007-02-04 02:33 -------- d-------- C:\Program Files\limewire
2007-02-04 02:07 -------- d---s---- C:\DOCUME~1\RELAWA~1\Application Data\microsoft
2007-02-04 00:05 7002 --a------ C:\DOCUME~1\RELAWA~1\Application Data\wklnhst.dat
2007-02-01 17:45 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\adobeum
2007-01-30 18:24 -------- d-------- C:\Program Files\ares
2007-01-25 19:47 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\mozilla
2007-01-16 19:48 -------- d-------- C:\Program Files\microsoft picture it! 9
2006-12-30 14:46 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\snapfish
2006-12-27 21:18 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\sony corporation
2006-12-27 20:06 -------- d--h----- C:\Program Files\installshield installation information
2006-12-27 20:05 -------- d-------- C:\Program Files\sony
2006-12-25 00:06 133632 --a------ C:\WINDOWS\SYSTEM32\spoonuninstall.exe
2006-12-20 18:25 -------- d-------- C:\Program Files\nero
2006-12-20 18:25 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\simple star
2006-12-20 18:25 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\ahead
2006-12-20 18:24 -------- d-------- C:\Program Files\ahead
2006-12-20 18:22 -------- d-------- C:\Program Files\Common Files\nero
2006-12-20 18:21 -------- d-------- C:\Program Files\Common Files\ahead
2006-12-17 22:57 -------- d-------- C:\Program Files\quicktime
2006-12-15 17:01 -------- d-------- C:\Program Files\dell
2006-12-15 13:57 -------- d-------- C:\DOCUME~1\RELAWA~1\Application Data\yahoo!
2006-12-14 00:21 -------- d-------- C:\Program Files\windows media connect 2
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-10 18:21 70952 --a------ C:\DOCUME~1\RELAWA~1\Application Data\gdipfontcachev1.dat
2006-11-08 00:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"WebCamRT.exe"=""
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"BCMSMMSG"="BCMSMMSG.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"LogitechImageStudioTray"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"dlbxmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 962\\dlbxmon.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DLBXCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLBXtime.dll,_RunDLLEntry@16"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ErrorHunter"
"hkey"="HKCU"
"command"="C:\\Program Files\\Error Hunter\\ErrorHunter.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"="DCOM Server 60787"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-04 22:11:49
C:\ComboFix2.txt ... 07-02-04 17:58

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:03:12 PM 2/4/2007

+ Scan result:



HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Adware.AdDestroyer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Adware.AdDestroyer : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32 -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ADBN3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ADTMI1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ADVC5.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ADVCTX2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIB9894.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIC29667.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASID12180.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIE17070.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIF29819.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIF4502.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIFA15376.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIFWH29233.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIG21943.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIGT10102.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIH21180.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIH7853.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASII21469.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIL18549.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASILS29399.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIM4381.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIM9740.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIOG19375.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIOT25456.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIPF1965.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIR21184.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIRE20082.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIS24110.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIS31590.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIT17011.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIT26116.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIW11211.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\ASIWS3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\AUTOS2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\BID1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\CARD2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\CARS3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\CASH2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\DATE4.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\EECH1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\EML1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\FAST1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\FINC3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\FINC5.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\FLWR1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\FMND1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\HEBE3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\HERBS1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\HOGAR3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\INK1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\JOBS4.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\MORT4.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\MORT5.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\MOVS2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\NEWS2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\OPPR3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\SHOP2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\SPZ3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\TECH2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\TMP3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\TRVL6.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\UTONE2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\VENUE1.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\WWW3.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\bsx32\XTFL2.bsx -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PowerScan -> Adware.PowerScan : Cleaned with backup (quarantined).
HKU\S-1-5-21-593452592-1264512174-2530381137-1007\Software\Bundles -> Adware.SecondThought : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219744.dll -> Adware.VirtualBouncer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219743.ocx -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/dlh9jkd1q1.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Rela Walker\DoctorWeb\Quarantine\ysbactivex.dll -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/comdlj32.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\Documents and Settings\Rela Walker\Local Settings\Temp\maindll.dll -> Proxy.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219742.exe -> Proxy.Wopla.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219745.exe -> Proxy.Wopla.ac : Cleaned with backup (quarantined).
C:\Documents and Settings\Rela Walker\Cookies\rela_walker@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\SDFix\backups\backups.zip/backups/vxg3am1et3.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vxga8me6.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219746.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219747.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1231\A0219748.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 10:14:39 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3301A119-C6FE-4FD8-ADC9-6148B45F0A22}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3C5B2C-23C5-4725-8943-A79A2A22B3DA}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE70919B-B981-43C2-AA95-D2BCFF4E473E}: NameServer = 66.35.255.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 05 February 2007 - 03:31 AM

Copy and paste the following bold blue text in between the lines into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
==============================================
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorHunter]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"=-

==============================================

You've no virus protection installed.
Download\install AVG Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_432a904.exe
Once installed update AVG's definition files and run a full system virus scan.

============================

Download Killbox by Option^Explicit:
http://www.killbox.net/downloads/KillBox.exe
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\bgtrneiknkjnew.exe
C:\WINDOWS\SYSTEM32\windll.dll
C:\WINDOWS\nsicknjnfew.exe
C:\WINDOWS\njfekmfde.exe
C:\WINDOWS\SYSTEM32\ws_imod.dll
C:\WINDOWS\SYSTEM32\mcert.dll
C:\WINDOWS\SYSTEM32\abc.exe
C:\WINDOWS\SYSTEM32\mt_32.dll
C:\WINDOWS\SYSTEM32\vrqdp.dll


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.
After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post that log into your next reply.

============================

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Reboot,post the Killbox log,the F-Secure report and a new Hijack This log into your next reply.
Let me know how your pc is running now.
Posted Image
Posted Image

#14 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 05 February 2007 - 02:18 PM

It says this when I try to do step 1:

Cannot import C:\Documents and Settings\Rela Walker\Desktop\fix.reg: This specified file is not a registry script. You can only import binary registry files from within the registry editor.

#15 rwalker00

rwalker00
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 05 February 2007 - 02:20 PM

Nevermind... I wasnt copying the whole blue section. duh!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users