Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help


  • This topic is locked This topic is locked
11 replies to this topic

#1 moridin

moridin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 16 May 2007 - 04:48 PM

Hi all,

I hope you can help. I have tried for hours in safe mode to get rid of whatever is plaguing my computer. I have HJT, Ad-Aware, Spybot S&D, CCleaner, Windows Defender, used the smitfraud fix as I get the smitfraud-c.toolbar888 in Spybot, know this is probably just a phantom in the program. Tried using the remove file on reboot a couple of dozen times but these files keep coming back. What happens is when I am up normally I can surf the internet for a bit and then after a few minutes my computer just reboots. I can surf fine in Safe Mode with Networking. I was using Avast, but removed it as it was slowing things down. It picked up and removed a few Trojans but they keep coming back. Below is my HJT log, problems I can see are bolded.

Logfile of HijackThis v1.99.1
Scan saved at 7:17:57 PM, on 16/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\win12.tmp.exe
C:\PROGRA~1\COMMON~1\CURITY~1\ati2evxx.exe
C:\Program Files\M?crosoft\winword.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnat.dll,startup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aets] "C:\PROGRA~1\COMMON~1\CURITY~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Qwv] "C:\Program Files\M?crosoft\winword.exe" (not sure on location name)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRlbGU\command.exeO23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe




I know the dvpapi.exe is part of this annoying smanager.7.exe that keeps coming back. I am running a Win XP SP2.

Also see files like linksrvd.dll that are hard to delete sometimes

Any help would be greatly appreciated as this is annoying me to know end.

Thanks,

Justin

edited to change logfile to HJT 1.99 from the beta 2.0 as I found it is easier for you guys to troubleshoot from a complete release versus a beta release of HJT.

Edited by moridin, 16 May 2007 - 06:26 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 17 May 2007 - 05:45 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum moridin :thumbsup:

Find and delete:
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

**********************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 moridin

moridin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 17 May 2007 - 07:14 AM

Thanks for getting back to me,

While waiting for a response I did a little more digging and ran VundoFix, found and got rid of a few bad files. I also ran Combo Fix and the log file for that is below.

"Justin" - 2007-05-16 19:46:23 Service Pack 2
ComboFix 07-05.17.V - Running from: ""

/wow section - STAGE #3

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cbxyvts.dll
C:\WINDOWS\system32\fccyyxu.dll
C:\WINDOWS\system32\gebxwtq.dll
C:\WINDOWS\system32\vturpmj.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\Program Files\Common Files\svchost.exe
C:\Program Files\install.log
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\WINDOWS\system32\ksl48.bin
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Justin
C:\qoobox\purity\C\DOCUME~1\Justin\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Justin\APPLIC~1\SMANTE~1
C:\qoobox\purity\C\Program Files\DOBE~1
C:\qoobox\purity\C\Program Files\MCROSO~1
C:\qoobox\purity\C\Program Files\Common Files\CURITY~1
C:\qoobox\purity\C\Program Files\Common Files\ICROSO~1.NET
C:\qoobox\purity\C\WINDOWS\DOBE~1
C:\qoobox\purity\C\WINDOWS\system32\PPATCH~1
C:\qoobox\purity\C\WINDOWS\system32\PPATCH~1\spool32.exe
C:\qoobox\purity\C\WINDOWS\system32\PPATCH~1\??pPatch


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR
-------\Network Monitor
-------\pe386
-------\RpcApi


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-16 19:28 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2007-05-16 19:24 <DIR> d-------- C:\VundoFix Backups
2007-05-16 17:38 32,177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
2007-05-16 17:23 93,696 --a------ C:\WINDOWS\system32\drvnat.dll
2007-05-16 17:23 60,928 --a------ C:\WINDOWS\system32\xiyqto.dll
2007-05-16 17:23 40,183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-16 17:23 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2007-05-16 17:23 <DIR> d--hs---- C:\WINDOWS\QWRlbGU
2007-05-16 17:07 1,422 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-16 15:12 11,776 --a------ C:\WINDOWS\smanager.7.exe
2007-05-16 14:29 <DIR> d-------- C:\DOCUME~1\Justin\APPLIC~1\Lavasoft
2007-05-16 14:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-16 14:05 <DIR> d-------- C:\Program Files\CCleaner
2007-05-16 14:04 2 --a------ C:\WINDOWS\system32\wcpsvit.exe
2007-05-16 14:04 17,408 --a------ C:\WINDOWS\system32\avp.exe
2007-05-16 13:42 <DIR> d-------- C:\DOCUME~1\Justin\APPLIC~1\Sammsoft
2007-05-16 13:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-16 07:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-16 07:45 <DIR> d-------- C:\Program Files\AC3Filter
2007-05-16 07:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-15 15:19 <DIR> d-------- C:\Program Files\Alwil Software
2007-05-15 15:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\iolo
2007-05-15 15:08 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-15 15:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-05-15 15:01 209,526 --a------ C:\WINDOWS\system32\txxhbvsq.exe
2007-05-15 14:55 209,526 --a------ C:\WINDOWS\system32\djdkkvfj.exe
2007-05-15 14:52 126,976 --a------ C:\WINDOWS\system32\iavlsp.dll
2007-05-15 14:51 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-15 14:51 668,160 --a------ C:\WINDOWS\is-RFMCN.exe
2007-05-15 14:51 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-15 14:51 <DIR> d-------- C:\Program Files\Common Files\Authentium
2007-05-15 14:51 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\iolo
2007-05-15 14:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2007-05-15 14:39 43,529 --a------ C:\WINDOWS\system32\servicess3.exe
2007-05-15 14:34 0 --a------ C:\WINDOWS\system32\ng60.bin
2007-05-15 14:29 40,960 --a------ C:\WINDOWS\retadpu1000272.exe
2007-05-15 14:12 86,016 --a------ C:\mgvrprgl.exe
2007-05-15 14:12 75,776 --a------ C:\intvuvmp.exe
2007-05-15 14:11 17,408 --a------ C:\WINDOWS\system32\winzdn32.dll
2007-05-15 13:11 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-05-15 12:25 <DIR> d-------- C:\Program Files\Personal Media Manager
2007-05-08 16:40 <DIR> d-------- C:\Program Files\Absolute Poker
2007-05-08 16:40 <DIR> d-------- C:\Program Files\_uninstallation_info
2007-05-08 16:05 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-08 15:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-08 15:18 <DIR> d-------- C:\DOCUME~1\Adele\APPLIC~1\DivX
2007-05-08 15:17 <DIR> d-------- C:\DOCUME~1\Adele\APPLIC~1\Media Player Classic
2007-05-01 11:35 146,432 ---hs---- C:\Program Files\Common Files\Yazzle1162OinAdmin.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 79094 bytes in 1 streams.

2007-05-16 18:24:43 -------- d-----w C:\Program Files\NCH Swift Sound
2007-05-16 02:19:54 221 ---ha-w C:\WINDOWS\popcinfo.dat
2007-05-15 19:49:30 -------- d-----w C:\Program Files\Yysu
2007-05-15 19:12:40 -------- d-----w C:\Program Files\RadarSync
2007-05-15 14:22:06 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Real
2007-05-14 21:11:01 -------- d-----w C:\Program Files\PokerStars
2007-05-08 20:40:27 -------- d-----w C:\Program Files\_uninstallation_info
2007-05-08 19:56:31 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-08 19:54:42 -------- d-----w C:\Program Files\IGN
2007-05-08 19:54:27 -------- d-----w C:\Program Files\Red Storm Entertainment
2007-05-02 18:29:29 -------- d-----w C:\Program Files\PQDVD
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-29 13:36:16 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\OpenOffice.org2
2007-03-26 17:08:16 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\SmartFTP
2007-03-26 16:58:14 -------- d-----w C:\Program Files\Gallery Constructor 2.0
2007-03-26 16:44:02 -------- d--h--w C:\Program Files\Zero G Registry
2007-03-26 16:32:33 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Nvu
2007-03-26 16:25:36 -------- d-----w C:\Program Files\Nvu
2007-03-25 18:53:49 -------- d-----w C:\Program Files\BlueVoda Website Builder
2007-03-25 18:35:58 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-03-24 19:07:25 -------- d-----w C:\Program Files\Microsoft Games
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-21 00:58:46 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Apple Computer
2007-03-20 19:47:11 -------- d-----w C:\Program Files\pspvideo9
2007-03-20 19:47:04 -------- d-----w C:\Program Files\AviSynth 2.5
2007-03-20 15:45:47 -------- d-----w C:\Program Files\UltraISO
2007-03-20 15:34:29 -------- d-----w C:\Program Files\Common Files\EZB Systems
2007-03-18 02:01:30 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\PSPDocMaker
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-12 13:05:44 1,302 ----a-w C:\WINDOWS\mozver.dat
2007-03-12 13:05:44 -------- d-----w C:\Program Files\DivX
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 16:26:26 -------- d-s---w C:\Program Files\Xfire
2007-03-05 16:26:26 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Xfire
2007-02-09 01:33:39 18 ----a-w C:\WINDOWS\popcinfot.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [2005-11-21 16:54]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{8B11A219-80C8-4B42-B558-B8C14D1AA8C4}=C:\Program Files\Yahoo!\browser\ybmho.dll [2004-06-11 17:55]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-07 00:02]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]
{C7490BE5-BA41-4B07-91C7-116DD6E731DA}=C:\WINDOWS\system32\pmkhf.dll []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-21 16:21]
"SManager"="smanager.7.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"Aets"="C:\PROGRA~1\COMMON~1\CURITY~1\ati2evxx.exe" []
"Qwv"="C:\Program Files\M?crosoft\winword.exe" []


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1194862116]
C:\PROGRA~1\eGames\PUZZLE~1\Register\EGAMES~1.EXE /r "C:\PROGRA~1\eGames\PUZZLE~1\Register\EGAMES~1.rpd"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\system32\drvlad.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo AntiVirus]
"C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe" rstrq

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Personal Firewall]
"C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe" rstrq

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RHSI SHS]
"C:\Program Files\Rogers\SelfHealing\SHS.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
"C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SvcManager]
servicess3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update Manager]
"C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsUpdate]
rundll32.exe "C:\WINDOWS\system32\poqqqbvg.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yIdgNlBe]
C:\WINDOWS\rhdhqb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\rhdhqb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\rhdhqb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
Usnsvc usnsvc
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070516-194207-831
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20070516-194207-632
O4 - HKLM\..\Run: [SManager] smanager.7.exe
backup-20070516-194207-896
O2 - BHO: (no name) - {42E8A044-4486-4654-F038-6CE348EEF3EC} - C:\WINDOWS\system32\xiyqto.dll
backup-20070516-194134-816
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20070516-194134-985
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
backup-20070516-194134-421
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20070516-194134-288
O4 - HKLM\..\Run: [SManager] smanager.7.exe
backup-20070516-172424-393
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20070516-172424-932
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
backup-20070516-172424-632
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-172423-739
O20 - Winlogon Notify: gebyyyx - C:\WINDOWS\SYSTEM32\gebyyyx.dll
backup-20070516-172423-610
O2 - BHO: (no name) - {CB8B69CF-31AF-40D0-A119-5A8435BC1534} - (no file)
backup-20070516-172423-788
O2 - BHO: (no name) - {A706DD72-1C7E-49BB-83F4-FC2C20367B02} - C:\WINDOWS\system32\gebyyyx.dll
backup-20070516-172423-745
O4 - HKLM\..\Run: [SManager] smanager.7.exe
backup-20070516-172423-877
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
backup-20070516-172423-223
O2 - BHO: (no name) - {5436805A-C531-4857-89D8-4E10A5634D5A} - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-172423-923
O2 - BHO: (no name) - {12E2A742-11D4-4255-A738-6CE348EEFCBA} - C:\WINDOWS\system32\nlaqh.dll
backup-20070516-172423-828
O2 - BHO: (no name) - {44E3F540-478E-1050-A138-6CE348EEFCB9} - C:\WINDOWS\system32\mjhf.dll
backup-20070516-135928-244
O20 - Winlogon Notify: admfc - c:\windows\fonts\admfc.dll (file missing)
backup-20070516-135523-446
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-135523-834
O20 - Winlogon Notify: gebyyyx - C:\WINDOWS\SYSTEM32\gebyyyx.dll
backup-20070516-135522-588
O20 - Winlogon Notify: admfc - c:\windows\fonts\admfc.dll
backup-20070516-131748-707
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20070516-131748-973
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070516-131748-465
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20070516-131748-135
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
backup-20070516-131748-647
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-131748-210
O20 - Winlogon Notify: linksrv0 - linksrv0.dll (file missing)
backup-20070516-131748-528
O20 - Winlogon Notify: gebyyyx - C:\WINDOWS\SYSTEM32\gebyyyx.dll
backup-20070516-131747-403
O20 - Winlogon Notify: admfc - c:\windows\fonts\admfc.dll
backup-20070516-131747-204
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\iupdcetd.dll",realset
backup-20070516-131747-249
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\gcuwcgwa.dll
backup-20070516-131747-862
O2 - BHO: PsapiAnalyzer Object - {CB8B69CF-31AF-40D0-A119-5A8435BC1534} - c:\windows\fonts\admfc.dll
backup-20070516-131747-783
O2 - BHO: (no name) - {A706DD72-1C7E-49BB-83F4-FC2C20367B02} - C:\WINDOWS\system32\gebyyyx.dll
backup-20070516-131747-712
O2 - BHO: (no name) - {163CBDE9-9C03-440B-AF95-5664F281BA03} - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-131053-982
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070516-131053-924
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-131053-872
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20070516-131053-165
O20 - Winlogon Notify: linksrv0 - C:\WINDOWS\SYSTEM32\linksrv0.dll
backup-20070516-131053-559
O20 - Winlogon Notify: gebyyyx - C:\WINDOWS\SYSTEM32\gebyyyx.dll
backup-20070516-131052-925
O20 - Winlogon Notify: admfc - c:\windows\fonts\admfc.dll
backup-20070516-131052-424
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
backup-20070516-131052-147
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
backup-20070516-131052-711
O2 - BHO: PsapiAnalyzer Object - {CB8B69CF-31AF-40D0-A119-5A8435BC1534} - c:\windows\fonts\admfc.dll
backup-20070516-131052-502
O2 - BHO: (no name) - {83749C3E-7C0D-4E6D-8E1B-B55CA3D175E7} - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-131052-530
O2 - BHO: (no name) - {A706DD72-1C7E-49BB-83F4-FC2C20367B02} - C:\WINDOWS\system32\gebyyyx.dll
backup-20070516-130918-165
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20070516-130918-315
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20070516-130918-704
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
backup-20070516-130918-376
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
backup-20070516-130918-304
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
backup-20070516-130918-283
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
backup-20070516-130918-903
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070516-130918-845
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
backup-20070516-130917-525
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
backup-20070516-130917-515
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
backup-20070516-130917-429
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-130917-560
O20 - Winlogon Notify: linksrv0 - C:\WINDOWS\SYSTEM32\linksrv0.dll
backup-20070516-130917-422
O20 - Winlogon Notify: gebyyyx - C:\WINDOWS\SYSTEM32\gebyyyx.dll
backup-20070516-130917-942
O20 - Winlogon Notify: admfc - c:\windows\fonts\admfc.dll
backup-20070516-130917-794
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
backup-20070516-130916-635
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
backup-20070516-130916-428
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
backup-20070516-130916-498
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20070516-130915-150
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20070516-130915-229
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
backup-20070516-130915-285
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
backup-20070516-130915-986
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Justin\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
backup-20070516-130915-628
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Justin\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
backup-20070516-130915-429
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
backup-20070516-130914-634
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\hcsqujdv.dll
backup-20070516-130915-162
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
backup-20070516-130914-131
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
backup-20070516-130914-303
O2 - BHO: (no name) - {A706DD72-1C7E-49BB-83F4-FC2C20367B02} - C:\WINDOWS\system32\gebyyyx.dll
backup-20070516-130914-271
O2 - BHO: (no name) - {83749C3E-7C0D-4E6D-8E1B-B55CA3D175E7} - C:\WINDOWS\system32\pmkhf.dll
backup-20070516-130914-609
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rogers.yahoo.com/

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 19:51:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-16 19:53:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-16 19:53


--- E O F ---



HJT log is below:

Logfile of HijackThis v1.99.1
Scan saved at 8:06:32 AM, on 17/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {C7490BE5-BA41-4B07-91C7-116DD6E731DA} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aets] "C:\PROGRA~1\COMMON~1\CURITY~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Qwv] "C:\Program Files\M?crosoft\winword.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


Slowly getting there.

Thanks again for the help,

Justin

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 17 May 2007 - 07:49 AM

First disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

*********************************

Please disable Spybot S&Ds protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

*********************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\drvnat.dll
C:\WINDOWS\system32\xiyqto.dll
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\smanager.7.exe
C:\WINDOWS\system32\wcpsvit.exe
C:\WINDOWS\system32\txxhbvsq.exe
C:\WINDOWS\system32\djdkkvfj.exe
C:\WINDOWS\is-RFMCN.exe
C:\WINDOWS\system32\servicess3.exe
C:\WINDOWS\retadpu1000272.exe
C:\mgvrprgl.exe
C:\intvuvmp.exe
C:\WINDOWS\system32\winzdn32.dll
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

**********************************

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

**********************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {C7490BE5-BA41-4B07-91C7-116DD6E731DA} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O4 - HKCU\..\Run: [Aets] "C:\PROGRA~1\COMMON~1\CURITY~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Qwv] "C:\Program Files\M?crosoft\winword.exe"

Exit Hijackthis.

**********************************

Restart your pc.
Post the Avenger output.txt,and a new Hijackthis log into your next reply.

Posted Image
Posted Image

#5 moridin

moridin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 17 May 2007 - 01:12 PM

Thanks,

I did what you suggested and Installed AVG....seemed to clear things up.

My logfiles are below

Logfile of HijackThis v1.99.1
Scan saved at 2:04:18 PM, on 17/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Absolute Poker\mainclient.exe
C:\Program Files\Absolute Poker\aphh.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: XP Keep Per User Display Settings.lnk = C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bpsskpvm

*******************

Script file located at: \??\C:\xruvwbxo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\atmtd.dll not found!
Deletion of file C:\WINDOWS\system32\atmtd.dll failed!

Could not process line:
C:\WINDOWS\system32\atmtd.dll
Status: 0xc0000034



File C:\WINDOWS\system32\drvnat.dll not found!
Deletion of file C:\WINDOWS\system32\drvnat.dll failed!

Could not process line:
C:\WINDOWS\system32\drvnat.dll
Status: 0xc0000034



File C:\WINDOWS\system32\xiyqto.dll not found!
Deletion of file C:\WINDOWS\system32\xiyqto.dll failed!

Could not process line:
C:\WINDOWS\system32\xiyqto.dll
Status: 0xc0000034



File C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe not found!
Deletion of file C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe failed!

Could not process line:
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Status: 0xc0000034



File C:\WINDOWS\uninstall_nmon.vbs not found!
Deletion of file C:\WINDOWS\uninstall_nmon.vbs failed!

Could not process line:
C:\WINDOWS\uninstall_nmon.vbs
Status: 0xc0000034



File C:\WINDOWS\smanager.7.exe not found!
Deletion of file C:\WINDOWS\smanager.7.exe failed!

Could not process line:
C:\WINDOWS\smanager.7.exe
Status: 0xc0000034

File C:\WINDOWS\system32\wcpsvit.exe deleted successfully.
File C:\WINDOWS\system32\txxhbvsq.exe deleted successfully.
File C:\WINDOWS\system32\djdkkvfj.exe deleted successfully.
File C:\WINDOWS\is-RFMCN.exe deleted successfully.
File C:\WINDOWS\system32\servicess3.exe deleted successfully.


File C:\WINDOWS\retadpu1000272.exe not found!
Deletion of file C:\WINDOWS\retadpu1000272.exe failed!

Could not process line:
C:\WINDOWS\retadpu1000272.exe
Status: 0xc0000034



File C:\mgvrprgl.exe not found!
Deletion of file C:\mgvrprgl.exe failed!

Could not process line:
C:\mgvrprgl.exe
Status: 0xc0000034



File C:\intvuvmp.exe not found!
Deletion of file C:\intvuvmp.exe failed!

Could not process line:
C:\intvuvmp.exe
Status: 0xc0000034



File C:\WINDOWS\system32\winzdn32.dll not found!
Deletion of file C:\WINDOWS\system32\winzdn32.dll failed!

Could not process line:
C:\WINDOWS\system32\winzdn32.dll
Status: 0xc0000034



File C:\Program Files\Common Files\Yazzle1162OinAdmin.exe not found!
Deletion of file C:\Program Files\Common Files\Yazzle1162OinAdmin.exe failed!

Could not process line:
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gtojxfkr

*******************

Script file located at: \??\C:\yduqkfyi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\atmtd.dll not found!
Deletion of file C:\WINDOWS\system32\atmtd.dll failed!

Could not process line:
C:\WINDOWS\system32\atmtd.dll
Status: 0xc0000034



File C:\WINDOWS\system32\drvnat.dll not found!
Deletion of file C:\WINDOWS\system32\drvnat.dll failed!

Could not process line:
C:\WINDOWS\system32\drvnat.dll
Status: 0xc0000034



File C:\WINDOWS\system32\xiyqto.dll not found!
Deletion of file C:\WINDOWS\system32\xiyqto.dll failed!

Could not process line:
C:\WINDOWS\system32\xiyqto.dll
Status: 0xc0000034



File C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe not found!
Deletion of file C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe failed!

Could not process line:
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Status: 0xc0000034



File C:\WINDOWS\uninstall_nmon.vbs not found!
Deletion of file C:\WINDOWS\uninstall_nmon.vbs failed!

Could not process line:
C:\WINDOWS\uninstall_nmon.vbs
Status: 0xc0000034



File C:\WINDOWS\smanager.7.exe not found!
Deletion of file C:\WINDOWS\smanager.7.exe failed!

Could not process line:
C:\WINDOWS\smanager.7.exe
Status: 0xc0000034



File C:\WINDOWS\system32\wcpsvit.exe not found!
Deletion of file C:\WINDOWS\system32\wcpsvit.exe failed!

Could not process line:
C:\WINDOWS\system32\wcpsvit.exe
Status: 0xc0000034



File C:\WINDOWS\system32\txxhbvsq.exe not found!
Deletion of file C:\WINDOWS\system32\txxhbvsq.exe failed!

Could not process line:
C:\WINDOWS\system32\txxhbvsq.exe
Status: 0xc0000034



File C:\WINDOWS\system32\djdkkvfj.exe not found!
Deletion of file C:\WINDOWS\system32\djdkkvfj.exe failed!

Could not process line:
C:\WINDOWS\system32\djdkkvfj.exe
Status: 0xc0000034



File C:\WINDOWS\is-RFMCN.exe not found!
Deletion of file C:\WINDOWS\is-RFMCN.exe failed!

Could not process line:
C:\WINDOWS\is-RFMCN.exe
Status: 0xc0000034



File C:\WINDOWS\system32\servicess3.exe not found!
Deletion of file C:\WINDOWS\system32\servicess3.exe failed!

Could not process line:
C:\WINDOWS\system32\servicess3.exe
Status: 0xc0000034



File C:\WINDOWS\retadpu1000272.exe not found!
Deletion of file C:\WINDOWS\retadpu1000272.exe failed!

Could not process line:
C:\WINDOWS\retadpu1000272.exe
Status: 0xc0000034



File C:\mgvrprgl.exe not found!
Deletion of file C:\mgvrprgl.exe failed!

Could not process line:
C:\mgvrprgl.exe
Status: 0xc0000034



File C:\intvuvmp.exe not found!
Deletion of file C:\intvuvmp.exe failed!

Could not process line:
C:\intvuvmp.exe
Status: 0xc0000034



File C:\WINDOWS\system32\winzdn32.dll not found!
Deletion of file C:\WINDOWS\system32\winzdn32.dll failed!

Could not process line:
C:\WINDOWS\system32\winzdn32.dll
Status: 0xc0000034



File C:\Program Files\Common Files\Yazzle1162OinAdmin.exe not found!
Deletion of file C:\Program Files\Common Files\Yazzle1162OinAdmin.exe failed!

Could not process line:
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


My computer has been up normally for about an hour and hasn't shut down on me once. Thank you, saved me spending extra wasteful hours scouring for answers.

Just wondering if dvpapi could still be a problem. Seemed to remove most instances of it, but it still shows up in my Services, I have disabled it and haven't had any more problems as of yet.

I will check back in a few hours as long as everything looks good.

Thank you so much,

Justin

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 17 May 2007 - 01:23 PM

Double click on combofix.exe again and follow the prompts Justin.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Posted Image
Posted Image

#7 moridin

moridin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 17 May 2007 - 02:56 PM

Thanks RichieUK,

Here's the ComboFix logfile

"Justin" - 2007-05-17 15:37:03 Service Pack 2
ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\Justin\Desktop\Fixes\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\RpcApi


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-17 ))))))))))))))))))))))))))))))))))


2007-05-17 14:36 <DIR> d-------- C:\DOCUME~1\Justin\APPLIC~1\MailWasherPro
2007-05-17 14:01 <DIR> d-------- C:\avenger
2007-05-17 13:01 <DIR> d-------- C:\Program Files\XPKeepPerUserDisplaySettings
2007-05-17 11:36 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-17 09:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-17 09:42 <DIR> d-------- C:\DOCUME~1\Justin\.housecall6.6
2007-05-17 09:37 <DIR> d-------- C:\Program Files\PokerStars
2007-05-16 20:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-16 19:53 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-16 19:24 <DIR> d-------- C:\VundoFix Backups
2007-05-16 17:23 <DIR> d--hs---- C:\WINDOWS\QWRlbGU
2007-05-16 17:07 1,342 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-16 14:29 <DIR> d-------- C:\DOCUME~1\Justin\APPLIC~1\Lavasoft
2007-05-16 14:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-16 14:05 <DIR> d-------- C:\Program Files\CCleaner
2007-05-16 13:42 <DIR> d-------- C:\DOCUME~1\Justin\APPLIC~1\Sammsoft
2007-05-16 13:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-16 07:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-16 07:45 <DIR> d-------- C:\Program Files\AC3Filter
2007-05-16 07:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-15 15:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\iolo
2007-05-15 15:08 1,007,616 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-15 15:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-05-15 14:52 126,976 --a------ C:\WINDOWS\system32\iavlsp.dll
2007-05-15 14:51 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-15 14:51 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-15 14:51 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\iolo
2007-05-15 14:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2007-05-15 14:34 0 --a------ C:\WINDOWS\system32\ng60.bin
2007-05-15 13:11 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-05-15 12:25 <DIR> d-------- C:\Program Files\Personal Media Manager
2007-05-08 16:40 <DIR> d-------- C:\Program Files\Absolute Poker
2007-05-08 16:40 <DIR> d-------- C:\Program Files\_uninstallation_info
2007-05-08 16:05 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-08 15:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-08 15:18 <DIR> d-------- C:\DOCUME~1\Adele\APPLIC~1\DivX
2007-05-08 15:17 <DIR> d-------- C:\DOCUME~1\Adele\APPLIC~1\Media Player Classic


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-17 15:52:05 -------- d-----w C:\Program Files\Nvu
2007-05-17 01:50:22 221 ---ha-w C:\WINDOWS\popcinfo.dat
2007-05-17 00:05:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-15 19:12:40 -------- d-----w C:\Program Files\RadarSync
2007-05-15 14:22:06 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Real
2007-05-08 20:40:27 -------- d-----w C:\Program Files\_uninstallation_info
2007-05-02 18:29:29 -------- d-----w C:\Program Files\PQDVD
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-29 13:36:16 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\OpenOffice.org2
2007-03-26 17:08:16 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\SmartFTP
2007-03-26 16:58:14 -------- d-----w C:\Program Files\Gallery Constructor 2.0
2007-03-26 16:32:33 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Nvu
2007-03-25 18:53:49 -------- d-----w C:\Program Files\BlueVoda Website Builder
2007-03-25 18:35:58 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-03-24 19:07:25 -------- d-----w C:\Program Files\Microsoft Games
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-21 00:58:46 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Apple Computer
2007-03-20 19:47:11 -------- d-----w C:\Program Files\pspvideo9
2007-03-20 19:47:04 -------- d-----w C:\Program Files\AviSynth 2.5
2007-03-20 15:45:47 -------- d-----w C:\Program Files\UltraISO
2007-03-20 15:34:29 -------- d-----w C:\Program Files\Common Files\EZB Systems
2007-03-18 02:01:30 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\PSPDocMaker
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-12 13:05:44 1,302 ----a-w C:\WINDOWS\mozver.dat
2007-03-12 13:05:44 -------- d-----w C:\Program Files\DivX
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 16:26:26 -------- d-s---w C:\Program Files\Xfire
2007-03-05 16:26:26 -------- d-----w C:\DOCUME~1\Justin\APPLIC~1\Xfire
2007-02-09 01:33:39 18 ----a-w C:\WINDOWS\popcinfot.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [2005-11-21 16:54]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{8B11A219-80C8-4B42-B558-B8C14D1AA8C4}=C:\Program Files\Yahoo!\browser\ybmho.dll [2004-06-11 17:55]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-07 00:02]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-21 16:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-17 10:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1194862116]
C:\PROGRA~1\eGames\PUZZLE~1\Register\EGAMES~1.EXE /r "C:\PROGRA~1\eGames\PUZZLE~1\Register\EGAMES~1.rpd"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo AntiVirus]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Personal Firewall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qwv]
"C:\Program Files\M?crosoft\winword.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RHSI SHS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SvcManager]
servicess3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yIdgNlBe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
Usnsvc usnsvc
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 15:43:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-17 15:46:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-17 15:46
C:\ComboFix2.txt ... 2007-05-16 19:53


--- E O F ---

Still seeing the dvpapi service (disabled) in my services, is it supposed to be there? I don't remember seeing it before this mess and some google stuff shows its part of Authentium Antivirus, which I don't remember installing

Thanks Again,

Justin

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 17 May 2007 - 03:26 PM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qwv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SvcManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yIdgNlBe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# G"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# L"h'9Ӝ3rWC:\Program Files\ISTsvc\istsvc.exe]

*************************************

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following commands pressing Enter after each one.

SC STOP dvpapi
SC DELETE dvpapi


Then type EXIT then press Enter.
Restart your pc.

*************************************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 moridin

moridin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 17 May 2007 - 09:34 PM

Everything Seems to be running better now. My logfiles are below

Logfile of HijackThis v1.99.1
Scan saved at 6:13:02 PM, on 17/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: XP Keep Per User Display Settings.lnk = C:\Program Files\XPKeepPerUserDisplaySettings\XPKeepPerUserDisplaySettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

My First run with Super Anti-Spyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/17/2007 at 05:28 PM

Application Version : 3.7.1018

Core Rules Database Version : 3239
Trace Rules Database Version: 1250

Scan type : Complete Scan
Total Scan Time : 00:36:50

Memory items scanned : 368
Memory threats detected : 0
Registry items scanned : 5664
Registry threats detected : 0
File items scanned : 37958
File threats detected : 72

Adware.Tracking Cookie
C:\Documents and Settings\Justin\Cookies\justin@atdmt[2].txt
C:\Documents and Settings\Justin\Cookies\justin@1072556060[1].txt
C:\Documents and Settings\Justin\Cookies\justin@revsci[2].txt
C:\Documents and Settings\Justin\Cookies\justin@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Justin\Cookies\justin@ads.pointroll[2].txt
C:\Documents and Settings\Justin\Cookies\justin@tribalfusion[1].txt
C:\Documents and Settings\Justin\Cookies\justin@adserver.conjelco[2].txt
C:\Documents and Settings\Justin\Cookies\justin@adcentriconline[1].txt
C:\Documents and Settings\Justin\Cookies\justin@doubleclick[1].txt
C:\Documents and Settings\Justin\Cookies\justin@adserverb.conjelco[2].txt
C:\Documents and Settings\Adele\Cookies\adele@a.websponsors[1].txt
C:\Documents and Settings\Adele\Cookies\adele@ad.outerinfo[2].txt
C:\Documents and Settings\Adele\Cookies\adele@adcentriconline[2].txt
C:\Documents and Settings\Adele\Cookies\adele@adopt.euroclick[2].txt
C:\Documents and Settings\Adele\Cookies\adele@ads.adbrite[1].txt
C:\Documents and Settings\Adele\Cookies\adele@advertising[2].txt
C:\Documents and Settings\Adele\Cookies\adele@aff.primaryads[1].txt
C:\Documents and Settings\Adele\Cookies\adele@atdmt[1].txt
C:\Documents and Settings\Adele\Cookies\adele@atwola[1].txt
C:\Documents and Settings\Adele\Cookies\adele@azoogleads[1].txt
C:\Documents and Settings\Adele\Cookies\adele@bluestreak[2].txt
C:\Documents and Settings\Adele\Cookies\adele@burstnet[1].txt
C:\Documents and Settings\Adele\Cookies\adele@canadapost.112.2o7[1].txt
C:\Documents and Settings\Adele\Cookies\adele@canadiansponsors.directtrack[1].txt
C:\Documents and Settings\Adele\Cookies\adele@casalemedia[2].txt
C:\Documents and Settings\Adele\Cookies\adele@cdn.euroclick[1].txt
C:\Documents and Settings\Adele\Cookies\adele@cpvfeed[2].txt
C:\Documents and Settings\Adele\Cookies\adele@data4.perf.overture[1].txt
C:\Documents and Settings\Adele\Cookies\adele@directtrack[2].txt
C:\Documents and Settings\Adele\Cookies\adele@doubleclick[1].txt
C:\Documents and Settings\Adele\Cookies\adele@leads.specificmedia[2].txt
C:\Documents and Settings\Adele\Cookies\adele@lynxtrack[1].txt
C:\Documents and Settings\Adele\Cookies\adele@msnportal.112.2o7[1].txt
C:\Documents and Settings\Adele\Cookies\adele@network-ca.247realmedia[1].txt
C:\Documents and Settings\Adele\Cookies\adele@qnsr[1].txt
C:\Documents and Settings\Adele\Cookies\adele@revsci[2].txt
C:\Documents and Settings\Adele\Cookies\adele@sales.liveperson[2].txt
C:\Documents and Settings\Adele\Cookies\adele@winantivirus[1].txt
C:\Documents and Settings\Adele\Cookies\adele@www.burstbeacon[2].txt
C:\Documents and Settings\Adele\Cookies\adele@www.rowise[1].txt
C:\Documents and Settings\Adele\Cookies\adele@xiti[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@toplist[1].txt

Adware.ClickSpring
C:\DOCUMENTS AND SETTINGS\ADELE\MY DOCUMENTS\YSTEM~1\SERVICES.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259774.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP652\A0259842.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE.VIR

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP647\A0250236.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP648\A0258382.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259757.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259777.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP656\A0265479.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265698.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP658\A0266852.EXE
C:\WINDOWS\QWRLBGU\KQL5V3O.VBS

Adware.ClickSpring-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259771.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP652\A0259840.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP652\A0259851.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP658\A0266710.EXE

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259773.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259778.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265694.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265695.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265696.DLL

Trojan.Downloader-Gen/HardFall
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259779.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259784.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP651\A0259789.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265690.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265691.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265692.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265693.DLL
C:\VUNDOFIX BACKUPS\QOMMLLK.DLL.BAD

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP657\A0265697.EXE


My second run with Super Anti-Spyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/17/2007 at 06:07 PM

Application Version : 3.7.1018

Core Rules Database Version : 3239
Trace Rules Database Version: 1250

Scan type : Complete Scan
Total Scan Time : 00:35:26

Memory items scanned : 347
Memory threats detected : 0
Registry items scanned : 5667
Registry threats detected : 0
File items scanned : 37900
File threats detected : 1

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{234F845F-1D64-4164-925B-386A3143B296}\RP659\A0266934.VBS


Seems to be running a lot better now. Gonna run my AVG and the Super Anti-spyware again in the morning.

Thanks a whole lot...saved me so much headache.

Justin

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 18 May 2007 - 04:20 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\VundoFix Backups
C:\QooBox
C:\Avenger
fix.reg
Vundofix
Combofix
Avenger


Enable Windows Defender.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#11 moridin

moridin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 18 May 2007 - 07:11 AM

Thanks again RichieUK,

You guys at the HJT Team are awesome. Saved me countless hours searching for every fix. Thanks again.

Justin

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 18 May 2007 - 07:21 AM

You're most welcome Justin :thumbsup:

Since your problem appears to be resolved,this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users