Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
16 replies to this topic

#1 Doxxs

Doxxs

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 February 2007 - 08:19 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:16:06 AM, on 2/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\STEM32~1\msdtc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\NeuroWorks\sentry.exe
C:\WINDOWS\System32\svchost.exe
C:\NeuroWorks\EvtMsgSvc.exe
C:\NeuroWorks\storage.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\A?pPatch\?hkdsk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\PH\Desktop\Analyse.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17C64889-D03A-A9B9-1D72-DC581578F7CC} - C:\WINDOWS\system32\datz.dll (file missing)
O2 - BHO: (no name) - {1F003B83-0A14-6EF6-B7C2-01258D670EC4} - C:\WINDOWS\system32\xpsjall.dll
O2 - BHO: (no name) - {4DE230C1-557B-A34D-9B28-091F097A3DF1} - C:\WINDOWS\system32\ioicbbh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {676D3439-CDFB-98B3-3753-0A0472202F24} - C:\WINDOWS\system32\flrnpsj.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\aembnwlv.dll
O2 - BHO: (no name) - {6AC3A932-D6A4-1948-73F0-09B2D3C2BEB1} - C:\WINDOWS\system32\yqfpdqm.dll
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\nnnnnnm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E48C31E-04A8-280C-DD48-5F909CA66CCF} - C:\WINDOWS\system32\xskgjmdz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B0C7DCA1-2801-4160-8409-AC0D22B388DF} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {DB6CBDD9-A8A0-415C-B8E7-53B41D695A63} - C:\WINDOWS\system32\awtqp.dll
O2 - BHO: (no name) - {DB8BAC81-3832-1D9C-1734-38C6593D3197} - C:\WINDOWS\system32\ecasb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ksixnvm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ksixnvm.dll,qanozgb
O4 - HKLM\..\Run: [bwhrdrh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bwhrdrh.dll,iglhyfe
O4 - HKLM\..\Run: [qfageji.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qfageji.dll,yojnil
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atvpqei.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\PH\Local Settings\Application Data\atvpqei.dll",fxvuijd
O4 - HKLM\..\Run: [{4429100E-07D9-1033-1230-050207060001}] "C:\Program Files\Common Files\{4429100E-07D9-1033-1230-050207060001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ttukgpsl.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Ltbm] "C:\WINDOWS\system32\STEM32~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Gyqjuvx] C:\WINDOWS\system32\A?pPatch\?hkdsk.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} -
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll
O20 - Winlogon Notify: nnnnnnm - C:\WINDOWS\SYSTEM32\nnnnnnm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NWSentry - Excel-Tech Ltd. - C:\NeuroWorks\sentry.exe
O23 - Service: NWStorage - Excel-Tech Ltd. - C:\NeuroWorks\storage.exe
O23 - Service: XLEvtMsgSvc - Unknown owner - C:\NeuroWorks\EvtMsgSvc.exe
O23 - Service: XLSyncServer - Unknown owner - C:\NeuroWorks\XLSyncServer.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 14 February 2007 - 08:26 AM

Welcome Doxxs :thumbsup:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

***************************

Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

***************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Reboot,post the Smitfraudfix report,the C:\vundofix.txt,and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#3 Doxxs

Doxxs
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 February 2007 - 09:15 PM

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:11:07 PM, on 2/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\NeuroWorks\sentry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\NeuroWorks\EvtMsgSvc.exe
C:\NeuroWorks\storage.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{4429100E-07D9-1033-1230-050207060001}\Update.exe
C:\WINDOWS\system32\STEM32~1\msdtc.exe
C:\WINDOWS\system32\A?pPatch\?hkdsk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\PH\Desktop\Analyse.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17C64889-D03A-A9B9-1D72-DC581578F7CC} - C:\WINDOWS\system32\datz.dll (file missing)
O2 - BHO: (no name) - {1F003B83-0A14-6EF6-B7C2-01258D670EC4} - C:\WINDOWS\system32\xpsjall.dll
O2 - BHO: (no name) - {205F1582-7C8C-4681-BAD1-7ADD48CDDE68} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {4DE230C1-557B-A34D-9B28-091F097A3DF1} - C:\WINDOWS\system32\ioicbbh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {676D3439-CDFB-98B3-3753-0A0472202F24} - C:\WINDOWS\system32\flrnpsj.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\aembnwlv.dll (file missing)
O2 - BHO: (no name) - {6AC3A932-D6A4-1948-73F0-09B2D3C2BEB1} - C:\WINDOWS\system32\yqfpdqm.dll (file missing)
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\nnnnnnm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E48C31E-04A8-280C-DD48-5F909CA66CCF} - C:\WINDOWS\system32\xskgjmdz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B0C7DCA1-2801-4160-8409-AC0D22B388DF} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {DB8BAC81-3832-1D9C-1734-38C6593D3197} - C:\WINDOWS\system32\ecasb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ksixnvm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ksixnvm.dll,qanozgb
O4 - HKLM\..\Run: [bwhrdrh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bwhrdrh.dll,iglhyfe
O4 - HKLM\..\Run: [qfageji.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qfageji.dll,yojnil
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atvpqei.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\PH\Local Settings\Application Data\atvpqei.dll",fxvuijd
O4 - HKLM\..\Run: [{4429100E-07D9-1033-1230-050207060001}] "C:\Program Files\Common Files\{4429100E-07D9-1033-1230-050207060001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Ltbm] "C:\WINDOWS\system32\STEM32~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Gyqjuvx] C:\WINDOWS\system32\A?pPatch\?hkdsk.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} -
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NWSentry - Excel-Tech Ltd. - C:\NeuroWorks\sentry.exe
O23 - Service: NWStorage - Excel-Tech Ltd. - C:\NeuroWorks\storage.exe
O23 - Service: XLEvtMsgSvc - Unknown owner - C:\NeuroWorks\EvtMsgSvc.exe
O23 - Service: XLSyncServer - Unknown owner - C:\NeuroWorks\XLSyncServer.exe


Vundo fix log:


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\iifdbya.dll
C:\WINDOWS\system32\iifdbya.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V5.1.7

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.6

Scan started at 12:54:51 PM 9/21/2006

Listing files found while scanning....

C:\windows\system32\geedd.dll
C:\windows\system32\ddeeg.ini
C:\windows\system32\ddeeg.bak1
C:\windows\system32\ddeeg.bak2
C:\windows\system32\ddeeg.ini2
C:\windows\system32\ddeeg.tmp
C:\windows\system32\hggghgf.dll
C:\windows\system32\iifdbya.dll
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\iifdbya.dll
C:\WINDOWS\system32\iifdbya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.6

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 8:03:12 PM 2/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\aembnwlv.dll
C:\WINDOWS\system32\anwlomug.exe
C:\WINDOWS\system32\aoetuuuo.dll
C:\WINDOWS\system32\aunmcijt.exe
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\bhtqtgwp.dll
C:\WINDOWS\system32\bslchpmq.dll
C:\WINDOWS\system32\djkjiqcj.exe
C:\WINDOWS\system32\dkhtttww.exe
C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\ebapkhrm.exe
C:\WINDOWS\system32\evauvksr.exe
C:\WINDOWS\system32\exqktlah.dll
C:\WINDOWS\system32\fctgvuws.exe
C:\WINDOWS\system32\flrnpsj.dll
C:\WINDOWS\system32\gakftokh.dll
C:\WINDOWS\system32\hggghgf.dll
C:\WINDOWS\system32\hrseldjn.dll
C:\WINDOWS\system32\hyevmdvj.dll
C:\WINDOWS\system32\iccleaya.dll
C:\WINDOWS\system32\ioicbbh.dll
C:\WINDOWS\system32\jcisqhhx.exe
C:\WINDOWS\system32\jcmquntv.dll
C:\WINDOWS\system32\jfhbagdb.exe
C:\WINDOWS\system32\kamayauo.dll
C:\WINDOWS\system32\kvmleucv.exe
C:\WINDOWS\system32\kxkwacwq.exe
C:\WINDOWS\system32\lspgkutt.ini
C:\WINDOWS\system32\neinmhvf.dll
C:\WINDOWS\system32\njnkleaq.exe
C:\WINDOWS\system32\nnnnnnm.dll
C:\WINDOWS\system32\nvnemtnx.exe
C:\WINDOWS\system32\olcnpfsy.dll
C:\WINDOWS\system32\olfbthgh.exe
C:\WINDOWS\system32\ouuuteoa.ini
C:\WINDOWS\system32\pomwpcvo.dll
C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak2
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\qsavnpxc.dll
C:\WINDOWS\system32\rypmdpfo.exe
C:\WINDOWS\system32\scsocovs.dll
C:\WINDOWS\system32\tbnkfhhu.ini
C:\WINDOWS\system32\ttukgpsl.dll
C:\WINDOWS\system32\uduylfgx.dll
C:\WINDOWS\system32\ugxswrcr.exe
C:\WINDOWS\system32\uhhfknbt.dll
C:\WINDOWS\system32\uwetsqlj.dll
C:\WINDOWS\system32\vqactpft.dll
C:\WINDOWS\system32\winetn32.dll
C:\WINDOWS\system32\wlqlmorx.exe
C:\WINDOWS\system32\wqxtpbup.dll
C:\WINDOWS\system32\xegwhnxx.dll
C:\WINDOWS\system32\yqfpdqm.dll
C:\WINDOWS\system32\ysfpnclo.ini
C:\WINDOWS\system32\ytguryte.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aembnwlv.dll
C:\WINDOWS\system32\aembnwlv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\anwlomug.exe
C:\WINDOWS\system32\anwlomug.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\aoetuuuo.dll
C:\WINDOWS\system32\aoetuuuo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aunmcijt.exe
C:\WINDOWS\system32\aunmcijt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\awtqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bhtqtgwp.dll
C:\WINDOWS\system32\bhtqtgwp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bslchpmq.dll
C:\WINDOWS\system32\bslchpmq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\djkjiqcj.exe
C:\WINDOWS\system32\djkjiqcj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\dkhtttww.exe
C:\WINDOWS\system32\dkhtttww.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Attempting to delete C:\WINDOWS\system32\ebapkhrm.exe
C:\WINDOWS\system32\ebapkhrm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\evauvksr.exe
C:\WINDOWS\system32\evauvksr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\exqktlah.dll
C:\WINDOWS\system32\exqktlah.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fctgvuws.exe
C:\WINDOWS\system32\fctgvuws.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\flrnpsj.dll
C:\WINDOWS\system32\flrnpsj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gakftokh.dll
C:\WINDOWS\system32\gakftokh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggghgf.dll
C:\WINDOWS\system32\hggghgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hrseldjn.dll
C:\WINDOWS\system32\hrseldjn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hyevmdvj.dll
C:\WINDOWS\system32\hyevmdvj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iccleaya.dll
C:\WINDOWS\system32\iccleaya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ioicbbh.dll
C:\WINDOWS\system32\ioicbbh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jcisqhhx.exe
C:\WINDOWS\system32\jcisqhhx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jcmquntv.dll
C:\WINDOWS\system32\jcmquntv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jfhbagdb.exe
C:\WINDOWS\system32\jfhbagdb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kamayauo.dll
C:\WINDOWS\system32\kamayauo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kvmleucv.exe
C:\WINDOWS\system32\kvmleucv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kxkwacwq.exe
C:\WINDOWS\system32\kxkwacwq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\lspgkutt.ini
C:\WINDOWS\system32\lspgkutt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\neinmhvf.dll
C:\WINDOWS\system32\neinmhvf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\njnkleaq.exe
C:\WINDOWS\system32\njnkleaq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnnnnm.dll
C:\WINDOWS\system32\nnnnnnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nvnemtnx.exe
C:\WINDOWS\system32\nvnemtnx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\olcnpfsy.dll
C:\WINDOWS\system32\olcnpfsy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\olfbthgh.exe
C:\WINDOWS\system32\olfbthgh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ouuuteoa.ini
C:\WINDOWS\system32\ouuuteoa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pomwpcvo.dll
C:\WINDOWS\system32\pomwpcvo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.bak2
C:\WINDOWS\system32\pqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qsavnpxc.dll
C:\WINDOWS\system32\qsavnpxc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rypmdpfo.exe
C:\WINDOWS\system32\rypmdpfo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\scsocovs.dll
C:\WINDOWS\system32\scsocovs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tbnkfhhu.ini
C:\WINDOWS\system32\tbnkfhhu.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttukgpsl.dll
C:\WINDOWS\system32\ttukgpsl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uduylfgx.dll
C:\WINDOWS\system32\uduylfgx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ugxswrcr.exe
C:\WINDOWS\system32\ugxswrcr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\uhhfknbt.dll
C:\WINDOWS\system32\uhhfknbt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwetsqlj.dll
C:\WINDOWS\system32\uwetsqlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vqactpft.dll
C:\WINDOWS\system32\vqactpft.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winetn32.dll
C:\WINDOWS\system32\winetn32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wlqlmorx.exe
C:\WINDOWS\system32\wlqlmorx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wqxtpbup.dll
C:\WINDOWS\system32\wqxtpbup.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xegwhnxx.dll
C:\WINDOWS\system32\xegwhnxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yqfpdqm.dll
C:\WINDOWS\system32\yqfpdqm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ysfpnclo.ini
C:\WINDOWS\system32\ysfpnclo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ytguryte.exe
C:\WINDOWS\system32\ytguryte.exe Has been deleted!

Performing Repairs to the registry.
Done!


Smitfraud report:

SmitFraudFix v2.142

Scan done at 20:01:51.28, Wed 02/14/2007
Run from C:\Documents and Settings\PH\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\svchost.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PH


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\PH\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PH\FAVORI~1

C:\DOCUME~1\PH\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=", "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 14 February 2007 - 09:23 PM

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the smitfraudfix report,and a new Hijack This log into your next reply

*********************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Reboot,post the Smitfraudfix report,the C:\ComboFix.txt.and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#5 Doxxs

Doxxs
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 February 2007 - 11:11 PM

hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:42 PM, on 2/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\NeuroWorks\sentry.exe
C:\WINDOWS\System32\svchost.exe
C:\NeuroWorks\EvtMsgSvc.exe
C:\NeuroWorks\storage.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\PH\Desktop\Analyse.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17C64889-D03A-A9B9-1D72-DC581578F7CC} - C:\WINDOWS\system32\datz.dll (file missing)
O2 - BHO: (no name) - {1F003B83-0A14-6EF6-B7C2-01258D670EC4} - C:\WINDOWS\system32\xpsjall.dll
O2 - BHO: (no name) - {205F1582-7C8C-4681-BAD1-7ADD48CDDE68} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {4DE230C1-557B-A34D-9B28-091F097A3DF1} - C:\WINDOWS\system32\ioicbbh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {676D3439-CDFB-98B3-3753-0A0472202F24} - C:\WINDOWS\system32\flrnpsj.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\aembnwlv.dll (file missing)
O2 - BHO: (no name) - {6AC3A932-D6A4-1948-73F0-09B2D3C2BEB1} - C:\WINDOWS\system32\yqfpdqm.dll (file missing)
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\nnnnnnm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E48C31E-04A8-280C-DD48-5F909CA66CCF} - C:\WINDOWS\system32\xskgjmdz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B0C7DCA1-2801-4160-8409-AC0D22B388DF} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {DB8BAC81-3832-1D9C-1734-38C6593D3197} - C:\WINDOWS\system32\ecasb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ksixnvm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ksixnvm.dll,qanozgb
O4 - HKLM\..\Run: [bwhrdrh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bwhrdrh.dll,iglhyfe
O4 - HKLM\..\Run: [qfageji.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qfageji.dll,yojnil
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atvpqei.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\PH\Local Settings\Application Data\atvpqei.dll",fxvuijd
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Ltbm] "C:\WINDOWS\system32\STEM32~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Gyqjuvx] C:\WINDOWS\system32\A?pPatch\?hkdsk.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} -
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NWSentry - Excel-Tech Ltd. - C:\NeuroWorks\sentry.exe
O23 - Service: NWStorage - Excel-Tech Ltd. - C:\NeuroWorks\storage.exe
O23 - Service: XLEvtMsgSvc - Unknown owner - C:\NeuroWorks\EvtMsgSvc.exe
O23 - Service: XLSyncServer - Unknown owner - C:\NeuroWorks\XLSyncServer.exe



Smitfraud report

SmitFraudFix v2.142

Scan done at 21:58:17.28, Wed 02/14/2007
Run from C:\Documents and Settings\PH\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Combofix report

"PH" - 07-02-14 22:03:23 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\PH\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\dekwvyob.exe
C:\WINDOWS\system32\glspsmpk.exe
C:\WINDOWS\system32\qghouuin.exe
C:\WINDOWS\system32\ravtfxlx.exe
C:\WINDOWS\system32\uvskewmn.exe
C:\INSTALL.LOG
C:\Program Files\InetGet2
C:\Program Files\OIN Search
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{44291~1
C:\Program Files\ToolBar888
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\PH
C:\qoobox\purity\DOCUME~1\PH\Application Data
C:\qoobox\purity\DOCUME~1\PH\My Documents
C:\qoobox\purity\DOCUME~1\PH\Application Data\CROSOF~1
C:\qoobox\purity\DOCUME~1\PH\Application Data\from.txt
C:\qoobox\purity\DOCUME~1\PH\My Documents\FNTS~1
C:\qoobox\purity\DOCUME~1\PH\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\PH\My Documents\RACLE~1
C:\qoobox\purity\DOCUME~1\PH\My Documents\STEM32~1
C:\qoobox\purity\Program Files\ECURIT~1
C:\qoobox\purity\Program Files\FNTS~1
C:\qoobox\purity\Program Files\SCURIT~1
C:\qoobox\purity\Program Files\SKS~1
C:\qoobox\purity\Program Files\SSEMBL~1
C:\qoobox\purity\Program Files\Common Files\CROSOF~1
C:\qoobox\purity\Program Files\Common Files\CROSOF~2
C:\qoobox\purity\Program Files\Common Files\MANTEC~1
C:\qoobox\purity\Program Files\Common Files\SCURIT~1
C:\qoobox\purity\Program Files\Common Files\SMBOLS~1
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1
C:\qoobox\purity\Program Files\Common Files\STEM~1
C:\qoobox\purity\WINDOWS\STEM32~1
C:\qoobox\purity\WINDOWS\WNSXS~1
C:\qoobox\purity\WINDOWS\system32\APPATC~1
C:\qoobox\purity\WINDOWS\system32\SKS~1
C:\qoobox\purity\WINDOWS\system32\SMBOLS~1
C:\qoobox\purity\WINDOWS\system32\STEM32~1
C:\qoobox\purity\WINDOWS\system32\WNSXS~1
C:\qoobox\purity\WINDOWS\system32\APPATC~1\?hkdsk.exe
C:\qoobox\purity\WINDOWS\system32\STEM32~1\msdtc.exe
C:\qoobox\purity\WINDOWS\system32\STEM32~1\STEM32~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-14 to 2007-02-14 ))))))))))))))))))))))))))))))))))


2007-02-14 22:04 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-14 20:01 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-02-14 20:01 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-02-14 19:20 76,412 --a------ C:\WINDOWS\system32\puawqaaw.dll
2007-02-13 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-02-13 20:52 <DIR> d-------- C:\Program Files\Google
2007-02-13 20:52 <DIR> d-------- C:\DOCUME~1\PH\Application Data\Google
2007-02-13 06:00 56,832 --a------ C:\WINDOWS\system32\xskgjmdz.dll
2007-02-12 19:19 76,412 --a------ C:\WINDOWS\system32\qththvgc.dll
2007-02-12 12:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Media Center Programs
2007-02-12 12:56 <DIR> d-------- C:\Program Files\THQ
2007-02-11 19:43 76,412 --a------ C:\WINDOWS\system32\tyjpvtge.dll
2007-02-09 19:37 76,412 --a------ C:\WINDOWS\system32\swibhcvh.dll
2007-02-07 19:37 76,412 --a------ C:\WINDOWS\system32\xsirvqgr.dll
2007-02-07 16:28 76,412 --a------ C:\WINDOWS\system32\guyxylgj.dll
2007-02-07 16:00 <DIR> d-------- C:\Program Files\EVEMon
2007-02-07 16:00 <DIR> d-------- C:\DOCUME~1\PH\Application Data\EVEMon
2007-02-05 16:27 76,412 --a------ C:\WINDOWS\system32\ohnhteqg.dll
2007-02-02 23:19 <DIR> d-------- C:\Program Files\CCP
2007-01-30 20:46 95,232 --a------ C:\WINDOWS\system32\atvpqei.dll
2007-01-30 20:46 71,680 --a------ C:\WINDOWS\system32\xpsjall.dll
2007-01-29 02:58 60,416 --------- C:\WINDOWS\system32\tzchange.exe
2007-01-23 14:11 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-01-23 14:11 <DIR> d-------- C:\WINDOWS\PAC207
2007-01-23 14:09 40,960 --a------ C:\WINDOWS\CleanDev.exe
2007-01-23 14:09 217,088 --a------ C:\WINDOWS\select3a.exe
2007-01-23 14:09 127,692 --a------ C:\WINDOWS\system32\drivers\pfc027.sys
2007-01-23 14:09 11,170 --a------ C:\WINDOWS\system32\PA207Usd.dll
2007-01-23 14:09 <DIR> d-------- C:\WINDOWS\Options
2007-01-23 14:09 <DIR> d-------- C:\Program Files\directx
2007-01-23 14:09 <DIR> d-------- C:\Program Files\CIF USB CAMERA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-14 21:53 -------- d-------- C:\Program Files\mozilla firefox
2007-02-13 20:52 -------- d-------- C:\Documents and Settings\PH\Application Data\google
2007-02-13 15:56 -------- d-------- C:\Program Files\ilinc
2007-02-12 23:53 -------- d-------- C:\Program Files\sociolotron
2007-02-12 12:55 -------- d--h----- C:\Program Files\installshield installation information
2007-02-09 20:55 -------- d-------- C:\Program Files\xoftspy
2007-02-07 16:00 -------- d-------- C:\Documents and Settings\PH\Application Data\evemon
2007-01-28 22:41 -------- d-------- C:\Documents and Settings\PH\Application Data\xfire
2007-01-23 20:34 -------- d-------- C:\Program Files\world of warcraft
2007-01-23 14:15 -------- d-------- C:\Documents and Settings\PH\Application Data\arcsoft
2007-01-23 14:09 -------- d-------- C:\Program Files\Common Files\installshield
2007-01-16 00:51 -------- d-------- C:\Program Files\Common Files\blizzard entertainment
2007-01-13 19:56 166266 --a------ C:\Documents and Settings\PH\Application Data\cosmos prefs
2007-01-12 09:27 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-12 09:27 51712 --------- C:\WINDOWS\system32\msfeedsbs.dll
2007-01-12 09:27 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 09:27 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-08 19:04 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 19:04 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 19:02 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 19:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 19:02 383488 --------- C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 19:02 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 19:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 19:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 19:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 19:00 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 18:08 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 18:08 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-04 16:52 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-01-04 16:52 -------- dr-h----- C:\Documents and Settings\PH\Application Data\securom
2007-01-04 16:31 -------- d-------- C:\Program Files\ubisoft
2006-12-28 06:40 -------- d-------- C:\Program Files\java
2006-12-26 00:12 -------- d-------- C:\Documents and Settings\PH\Application Data\azureus
2006-12-26 00:05 -------- d-------- C:\Program Files\azureus
2006-12-26 00:00 -------- d-------- C:\Documents and Settings\PH\Application Data\utorrent
2006-12-25 09:02 -------- d-------- C:\Documents and Settings\PH\Application Data\adobeum
2006-12-19 15:52 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 12:16 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-15 23:47 -------- d-------- C:\Program Files\windows media connect 2
2006-12-14 13:11 -------- d-------- C:\Program Files\steam
2006-11-27 08:54 539136 --a------ C:\WINDOWS\system32\msftedit.dll
2006-11-27 08:54 433152 --a------ C:\WINDOWS\system32\riched20.dll
2006-11-20 13:25 3772 --a------ C:\WINDOWS\mozver.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"Tracks Eraser Pro"="C:\\Program Files\\Acesoft\\Tracks Eraser Pro\\te.exe min"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Ltbm"="\"C:\\WINDOWS\\system32\\STEM32~1\\msdtc.exe\" -vt yazb"
"Gyqjuvx"="C:\\WINDOWS\\system32\\A?pPatch\\?hkdsk.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"ksixnvm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ksixnvm.dll,qanozgb"
"bwhrdrh.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\bwhrdrh.dll,iglhyfe"
"qfageji.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\qfageji.dll,yojnil"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"atvpqei.dll"="C:\\WINDOWS\\system32\\rundll32.exe \"C:\\Documents and Settings\\PH\\Local Settings\\Application Data\\atvpqei.dll\",fxvuijd"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dabce536-25c7-11db-934f-0015f2605f75}]
Shell\AutoRun\command F:\wd_windows_tools\setup.exe


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-14 22:07:06

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 15 February 2007 - 02:52 AM

Download\install AVG Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_441a944.exe
Once installed update AVG's virus definitions and run a full system virus scan.

*************************

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
==============================
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

==============================

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {17C64889-D03A-A9B9-1D72-DC581578F7CC} - C:\WINDOWS\system32\datz.dll (file missing)
O2 - BHO: (no name) - {1F003B83-0A14-6EF6-B7C2-01258D670EC4} - C:\WINDOWS\system32\xpsjall.dll
O2 - BHO: (no name) - {205F1582-7C8C-4681-BAD1-7ADD48CDDE68} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {4DE230C1-557B-A34D-9B28-091F097A3DF1} - C:\WINDOWS\system32\ioicbbh.dll (file missing)
O2 - BHO: (no name) - {676D3439-CDFB-98B3-3753-0A0472202F24} - C:\WINDOWS\system32\flrnpsj.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\aembnwlv.dll (file missing)
O2 - BHO: (no name) - {6AC3A932-D6A4-1948-73F0-09B2D3C2BEB1} - C:\WINDOWS\system32\yqfpdqm.dll (file missing)
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\nnnnnnm.dll (file missing)
O2 - BHO: (no name) - {8E48C31E-04A8-280C-DD48-5F909CA66CCF} - C:\WINDOWS\system32\xskgjmdz.dll
O2 - BHO: (no name) - {B0C7DCA1-2801-4160-8409-AC0D22B388DF} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {DB8BAC81-3832-1D9C-1734-38C6593D3197} - C:\WINDOWS\system32\ecasb.dll (file missing)
O4 - HKLM\..\Run: [ksixnvm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ksixnvm.dll,qanozgb
O4 - HKLM\..\Run: [bwhrdrh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bwhrdrh.dll,iglhyfe
O4 - HKLM\..\Run: [qfageji.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qfageji.dll,yojnil
O4 - HKLM\..\Run: [atvpqei.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\PH\Local Settings\Application Data\atvpqei.dll",fxvuijd
O4 - HKCU\..\Run: [Ltbm] "C:\WINDOWS\system32\STEM32~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Gyqjuvx] C:\WINDOWS\system32\A?pPatch\?hkdsk.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} -


Exit Hijackthis,find and delete if present:
C:\WINDOWS\system32\puawqaaw.dll
C:\WINDOWS\system32\xskgjmdz.dll
C:\WINDOWS\system32\qththvgc.dll
C:\WINDOWS\system32\tyjpvtge.dll
C:\WINDOWS\system32\swibhcvh.dll
C:\WINDOWS\system32\xsirvqgr.dll
C:\WINDOWS\system32\guyxylgj.dll
C:\WINDOWS\system32\ohnhteqg.dll
C:\WINDOWS\system32\atvpqei.dll
C:\WINDOWS\system32\xpsjall.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

***********************



Reboot,post the AVG Anti Spyware report,and a new Hijackthis log in your next reply.
Let me know how your pc is running.

Edited by RichieUK, 15 February 2007 - 10:11 AM.

Posted Image
Posted Image

#7 Doxxs

Doxxs
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 15 February 2007 - 01:44 PM

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:34:43 PM 2/15/2007

+ Scan result:



HKU\S-1-5-21-1645522239-842925246-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1645522239-842925246-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP455\A0077162.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP455\A0077163.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Documents and Settings\PH\Desktop\backups\backup-20070215-113259-952.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP361\A0058511.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP363\A0058514.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP364\A0058516.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP365\A0058518.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP366\A0058530.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP367\A0058545.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP369\A0058570.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP369\A0059471.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP370\A0059704.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP370\A0059705.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP376\A0061749.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP381\A0062474.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP381\A0062475.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP425\A0068296.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP439\A0071057.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP439\A0071058.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP450\A0074085.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP450\A0074087.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP453\A0076128.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP459\A0078218.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078614.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cmd.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078560.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078561.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\QooBox\Purity\WINDOWS\system32\APPATC~1\сhkdsk.exe -> Adware.ValueAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078360.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\geedd.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\hggghgf.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\iifdbya.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP453\A0076126.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP459\A0078216.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP452\A0076104.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078536.dll -> Downloader.Zlob.aix : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP383\A0062492.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP384\A0062495.exe -> Downloader.Zlob.bei : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP384\A0062500.exe -> Downloader.Zlob.bei : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP384\A0062501.EXE -> Downloader.Zlob.bei : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078410.exe -> Downloader.Zlob.bei : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078409.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078349.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078350.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078356.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078359.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078361.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078362.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078363.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078366.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078368.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078372.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078378.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078379.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078381.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078387.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078388.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078391.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078392.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078354.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078357.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078367.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078377.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078385.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M0908NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078346.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078351.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078369.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078370.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078373.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078375.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078380.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078390.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078395.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\anwlomug.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\djkjiqcj.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\kvmleucv.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\kxkwacwq.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\njnkleaq.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\nvnemtnx.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\rypmdpfo.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\wlqlmorx.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\VundoFix Backups\ytguryte.exe.bad -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078537.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP453\A0076138.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078353.sys -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078546.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078547.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078548.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078549.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078550.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078588.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078384.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078389.dll -> Trojan.Mezzia.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP362\A0058513.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP363\A0058515.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP364\A0058517.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP365\A0058519.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP366\A0058531.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP367\A0058541.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP369\A0058571.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP370\A0059706.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP373\A0061729.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP381\A0062476.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP382\A0062487.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP409\A0064053.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP439\A0071063.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP443\A0072096.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP453\A0076127.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP459\A0078215.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\UGF0cmljaw\o3IXwA53uT.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078347.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078355.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D109C432-9852-43A9-A5CF-276B7F8C4355}\RP461\A0078365.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).


::Report end

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 15 February 2007 - 04:48 PM

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

Reboot,post a new Hijackthis log in your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#9 Doxxs

Doxxs
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 15 February 2007 - 06:38 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:33:14 PM, on 2/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\NeuroWorks\sentry.exe
C:\Documents and Settings\PH\Desktop\Analyse.exe.exe
C:\WINDOWS\System32\svchost.exe
C:\NeuroWorks\EvtMsgSvc.exe
C:\NeuroWorks\storage.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NWSentry - Excel-Tech Ltd. - C:\NeuroWorks\sentry.exe
O23 - Service: NWStorage - Excel-Tech Ltd. - C:\NeuroWorks\storage.exe
O23 - Service: XLEvtMsgSvc - Unknown owner - C:\NeuroWorks\EvtMsgSvc.exe
O23 - Service: XLSyncServer - Unknown owner - C:\NeuroWorks\XLSyncServer.exe


My computer is running better. I use Firefox and it is working great. When I started up IE 7 just to test to see if any malware was still there, it appears my browser on IE is still hijacked with "about; security risk."

My computer does indeed run better but I think there are still some bugs roaming around.

Edited by Doxxs, 15 February 2007 - 06:38 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 15 February 2007 - 07:01 PM

Download and scan with the free 15 day trial of Counterspy
Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

Reboot,post the Counterspy report,and a new Hijackthis log in your next reply.
Let me know whats happening now please.
Posted Image
Posted Image

#11 Doxxs

Doxxs
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 16 February 2007 - 01:05 AM

counter spy log

Scan History Details
Start Date: 2/15/2007 11:32:57 PM
End Date: 2/15/2007 11:53:46 PM
Total Time: 20 Min 49 Sec
Detected security risks

Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\ph\cookies\ph@doubleclick[1].txt


Cookie: PointRoll.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\ph\cookies\ph@ads.pointroll[2].txt


Zango.SearchAssistant Adware (General) more information...
Details: Zango Search Assistant opens new browser windows showing websites based on the previous websites you visit.
Status: Deleted

Files detected
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll


Desktop Links Adware (General) more information...
Details: Desktop Links consists of various links and shortcuts placed on the desktop by adware and spyware programs. It includes folders and links placed in Internet Explorer's favorites list.
Status: Deleted

Files detected
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico


Maxifiles Adware (General) more information...
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\IDL
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\IDL


TitanPoker Potentially Unwanted Program more information...
Details: TitanPoker is an online casino game that requires a software download to the user's machine.
Status: Deleted

Files detected
C:\WINDOWS\system32\TitanPokerIconDropTRA108.ico


EuropaCasino Potentially Unwanted Program more information...
Status: Deleted

Files detected
C:\WINDOWS\system32\TrafficSales_Casino_3.ico


SysProtect Rogue Security Program more information...
Details: SysProtect is a disabled data repair utility that nags the user to purchase it in order to fix the problems reported in its scan.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\APPID\CHECKPRODUCT2_1.DLL
HKEY_LOCAL_MACHINE\Software\Classes\APPID\CHECKPRODUCT2_1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\USYP_IS1
HKEY_LOCAL_MACHINE\SOFTWARE\SYS_PROTECT FREE
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\SYS_PROTECT FREE
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\SYS_PROTECT FREE\Settings
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\SYS_PROTECT FREE\Settings


Ipwins Adware (General) more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IPWINS
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\IPWINS
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\IPWINS


Yazzle.Cowabanga Misc (General) more information...
Details: Yazzle.Cowabanga is an ad supported desktop game.
Status: Deleted

Files detected
C:\Documents and Settings\PH\Start Menu\Programs\Games\Cowabanga.lnk

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\COWABANGA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\COWABANGA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\COWABANGA
HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0
HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0
HKEY_USERS\S-1-5-21-1645522239-842925246-839522115-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0


Trojan-Downloader.Win32.ConHook.gen Trojan Downloader more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32


Trojan-Downloader.Win32.Small.cml Trojan Downloader more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSMGR


Trojan.Geedd Trojan more information...
Status: Deleted

Files detected
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.ini

Logfile of HijackThis v1.99.1
Scan saved at 12:00:43 AM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\NeuroWorks\sentry.exe
C:\WINDOWS\System32\svchost.exe
C:\NeuroWorks\EvtMsgSvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\NeuroWorks\storage.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\PH\Desktop\Analyse.exe.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NWSentry - Excel-Tech Ltd. - C:\NeuroWorks\sentry.exe
O23 - Service: NWStorage - Excel-Tech Ltd. - C:\NeuroWorks\storage.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: XLEvtMsgSvc - Unknown owner - C:\NeuroWorks\EvtMsgSvc.exe
O23 - Service: XLSyncServer - Unknown owner - C:\NeuroWorks\XLSyncServer.exe

My computer is running better, thank you very much!

There are still sputters and lags I can not account for however.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 16 February 2007 - 07:24 AM

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

**********************************

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.
Posted Image
Posted Image

#13 Doxxs

Doxxs
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 16 February 2007 - 08:49 AM

I am having problems with the Active X thing, my response and logs may be slightly delayed.

My apologies.

#14 Doxxs

Doxxs
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 16 February 2007 - 07:16 PM

F-secure log

Result: 16 malware found
Trojan-Downloader.Win32.Busky.gen (virus)
C:\WINDOWS\system32\bwhrdrh.dll (Renamed & Submitted)
C:\WINDOWS\system32\ksixnvm.dll (Renamed & Submitted)
C:\WINDOWS\system32\qfageji.dll (Renamed & Submitted)
C:\VundoFix Backups\flrnpsj.dll.bad (Renamed & Submitted)
C:\VundoFix Backups\ioicbbh.dll.bad (Renamed)
C:\VundoFix Backups\yqfpdqm.dll.bad (Renamed & Submitted)
C:\Documents and Settings\PH\Local Settings\Application Data\atvpqei.dll (Renamed & Submitted)
C:\Documents and Settings\PH\Desktop\backups\backup-20070215-113258-768.dll (Renamed & Submitted)
W32/Adload.BAK (virus)
C:\WINDOWS\system32\gvysgppn.exe (Submitted)
C:\WINDOWS\system32\lcvsiwcn.exe (Submitted)
C:\WINDOWS\system32\nmqtfsdb.exe (Submitted)
C:\WINDOWS\system32\ooxahqlc.exe (Submitted)
C:\WINDOWS\system32\sfppklae.exe
C:\WINDOWS\system32\uagqtlng.exe (Submitted)
C:\WINDOWS\system32\ueqqqnmf.exe (Submitted)
W32/Smalltroj.NYS (virus)
C:\VundoFix Backups\dkhtttww.exe.bad (Submitted)

Sarscan log

Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 2/16/2007 at 18:09:39 PM

Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 2/16/2007 at 18:09:59 PM
Stopped logging on 2/16/2007 at 18:12:33 PM


Hijack this log

ogfile of HijackThis v1.99.1
Scan saved at 6:13:25 PM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\NeuroWorks\sentry.exe
C:\WINDOWS\System32\svchost.exe
C:\NeuroWorks\EvtMsgSvc.exe
C:\NeuroWorks\storage.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\PH\Desktop\Analyse.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NWSentry - Excel-Tech Ltd. - C:\NeuroWorks\sentry.exe
O23 - Service: NWStorage - Excel-Tech Ltd. - C:\NeuroWorks\storage.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: XLEvtMsgSvc - Unknown owner - C:\NeuroWorks\EvtMsgSvc.exe
O23 - Service: XLSyncServer - Unknown owner - C:\NeuroWorks\XLSyncServer.exe

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 16 February 2007 - 07:30 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Delete:
C:\VundoFix Backups

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6.0'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users