Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Comptr's Been Infected...please Help....


  • Please log in to reply
3 replies to this topic

#1 mistermatt516

mistermatt516

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 29 May 2007 - 11:02 PM

Hi all...ive gotten infected with this win2000 malware on my other laptop...ive followed all the other steps and this thing won't go away....here are the logs from the diagnostic...im hoping someone can help me clean this up as I would rather not use the recovery disc on the cmptr as it would wipe out everything...thanks...Matt
[05/23/2007, 0:17:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matt\Desktop\spy remove\VirtumundoBeGone.exe" )
[05/23/2007, 0:17:40] - Detected System Information:
[05/23/2007, 0:17:40] - Windows Version: 5.1.2600, Service Pack 2
[05/23/2007, 0:17:40] - Current Username: Matt (Admin)
[05/23/2007, 0:17:40] - Windows is in NORMAL mode.
[05/23/2007, 0:17:40] - Searching for Browser Helper Objects:
[05/23/2007, 0:17:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/23/2007, 0:17:40] - BHO 2: {349B49E0-52BF-45F9-3FBB-EC5235BC18C9} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\lavulaza
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\lavulaza, continuing.
[05/23/2007, 0:17:40] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/23/2007, 0:17:40] - BHO 4: {9B3C6D23-15BC-4DDB-892F-690FB0440945} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\ddccy
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\ddccy, continuing.
[05/23/2007, 0:17:40] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/23/2007, 0:17:40] - BHO 6: {B40E4B67-D0DC-D37F-D90E-F9ADD9B072C4} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\yiytme
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\yiytme, continuing.
[05/23/2007, 0:17:40] - BHO 7: {FEE900ED-C147-4EE4-AB9D-49A8E4ACC06A} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\hokero
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\hokero, continuing.
[05/23/2007, 0:17:40] - Finished Searching Browser Helper Objects
[05/23/2007, 0:17:40] - Finishing up...
[05/23/2007, 0:17:40] - Nothing found! Exiting...

[05/23/2007, 0:23:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matt\Desktop\spy remove\VirtumundoBeGone.exe" )
[05/23/2007, 0:23:12] - Detected System Information:
[05/23/2007, 0:23:12] - Windows Version: 5.1.2600, Service Pack 2
[05/23/2007, 0:23:12] - Current Username: Matt (Admin)
[05/23/2007, 0:23:13] - Windows is in SAFE mode.
[05/23/2007, 0:23:13] - Searching for Browser Helper Objects:
[05/23/2007, 0:23:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/23/2007, 0:23:13] - BHO 2: {349B49E0-52BF-45F9-3FBB-EC5235BC18C9} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\lavulaza
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\lavulaza, continuing.
[05/23/2007, 0:23:13] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/23/2007, 0:23:13] - BHO 4: {9B3C6D23-15BC-4DDB-892F-690FB0440945} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\ddccy
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\ddccy, continuing.
[05/23/2007, 0:23:13] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/23/2007, 0:23:13] - BHO 6: {B40E4B67-D0DC-D37F-D90E-F9ADD9B072C4} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\yiytme
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\yiytme, continuing.
[05/23/2007, 0:23:13] - BHO 7: {FEE900ED-C147-4EE4-AB9D-49A8E4ACC06A} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\hokero
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\hokero, continuing.
[05/23/2007, 0:23:13] - Finished Searching Browser Helper Objects
[05/23/2007, 0:23:13] - Finishing up...
[05/23/2007, 0:23:13] - Nothing found! Exiting...

[05/23/2007, 14:14:24] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matt\Desktop\spy remove\VirtumundoBeGone.exe" )
[05/23/2007, 14:14:28] - Detected System Information:
[05/23/2007, 14:14:28] - Windows Version: 5.1.2600, Service Pack 2
[05/23/2007, 14:14:28] - Current Username: Matt (Admin)
[05/23/2007, 14:14:28] - Windows is in NORMAL mode.
[05/23/2007, 14:14:28] - Searching for Browser Helper Objects:
[05/23/2007, 14:14:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/23/2007, 14:14:28] - BHO 2: {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} (CIEIntegrator Object)
[05/23/2007, 14:14:28] - BHO 3: {349B49E0-52BF-45F9-3FBB-EC5235BC18C9} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\lavulaza
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\lavulaza, continuing.
[05/23/2007, 14:14:28] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/23/2007, 14:14:28] - BHO 5: {9B3C6D23-15BC-4DDB-892F-690FB0440945} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\ddccy
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\ddccy, continuing.
[05/23/2007, 14:14:28] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/23/2007, 14:14:28] - BHO 7: {B40E4B67-D0DC-D37F-D90E-F9ADD9B072C4} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\yiytme
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\yiytme, continuing.
[05/23/2007, 14:14:28] - BHO 8: {B5141620-C2B2-4D95-9F0F-134D99C87AB0} (IEFW Object)
[05/23/2007, 14:14:28] - BHO 9: {FEE900ED-C147-4EE4-AB9D-49A8E4ACC06A} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\hokero
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\hokero, continuing.
[05/23/2007, 14:14:28] - Finished Searching Browser Helper Objects
[05/23/2007, 14:14:28] - Finishing up...
[05/23/2007, 14:14:28] - Nothing found! Exiting...


now the other one...im not sure which version is which.....



[05/23/2007, 0:17:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matt\Desktop\spy remove\VirtumundoBeGone.exe" )
[05/23/2007, 0:17:40] - Detected System Information:
[05/23/2007, 0:17:40] - Windows Version: 5.1.2600, Service Pack 2
[05/23/2007, 0:17:40] - Current Username: Matt (Admin)
[05/23/2007, 0:17:40] - Windows is in NORMAL mode.
[05/23/2007, 0:17:40] - Searching for Browser Helper Objects:
[05/23/2007, 0:17:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/23/2007, 0:17:40] - BHO 2: {349B49E0-52BF-45F9-3FBB-EC5235BC18C9} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\lavulaza
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\lavulaza, continuing.
[05/23/2007, 0:17:40] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/23/2007, 0:17:40] - BHO 4: {9B3C6D23-15BC-4DDB-892F-690FB0440945} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\ddccy
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\ddccy, continuing.
[05/23/2007, 0:17:40] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/23/2007, 0:17:40] - BHO 6: {B40E4B67-D0DC-D37F-D90E-F9ADD9B072C4} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\yiytme
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\yiytme, continuing.
[05/23/2007, 0:17:40] - BHO 7: {FEE900ED-C147-4EE4-AB9D-49A8E4ACC06A} ()
[05/23/2007, 0:17:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:17:40] - Checking for HKLM\...\Winlogon\Notify\hokero
[05/23/2007, 0:17:40] - Key not found: HKLM\...\Winlogon\Notify\hokero, continuing.
[05/23/2007, 0:17:40] - Finished Searching Browser Helper Objects
[05/23/2007, 0:17:40] - Finishing up...
[05/23/2007, 0:17:40] - Nothing found! Exiting...

[05/23/2007, 0:23:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matt\Desktop\spy remove\VirtumundoBeGone.exe" )
[05/23/2007, 0:23:12] - Detected System Information:
[05/23/2007, 0:23:12] - Windows Version: 5.1.2600, Service Pack 2
[05/23/2007, 0:23:12] - Current Username: Matt (Admin)
[05/23/2007, 0:23:13] - Windows is in SAFE mode.
[05/23/2007, 0:23:13] - Searching for Browser Helper Objects:
[05/23/2007, 0:23:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/23/2007, 0:23:13] - BHO 2: {349B49E0-52BF-45F9-3FBB-EC5235BC18C9} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\lavulaza
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\lavulaza, continuing.
[05/23/2007, 0:23:13] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/23/2007, 0:23:13] - BHO 4: {9B3C6D23-15BC-4DDB-892F-690FB0440945} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\ddccy
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\ddccy, continuing.
[05/23/2007, 0:23:13] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/23/2007, 0:23:13] - BHO 6: {B40E4B67-D0DC-D37F-D90E-F9ADD9B072C4} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\yiytme
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\yiytme, continuing.
[05/23/2007, 0:23:13] - BHO 7: {FEE900ED-C147-4EE4-AB9D-49A8E4ACC06A} ()
[05/23/2007, 0:23:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 0:23:13] - Checking for HKLM\...\Winlogon\Notify\hokero
[05/23/2007, 0:23:13] - Key not found: HKLM\...\Winlogon\Notify\hokero, continuing.
[05/23/2007, 0:23:13] - Finished Searching Browser Helper Objects
[05/23/2007, 0:23:13] - Finishing up...
[05/23/2007, 0:23:13] - Nothing found! Exiting...

[05/23/2007, 14:14:24] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Matt\Desktop\spy remove\VirtumundoBeGone.exe" )
[05/23/2007, 14:14:28] - Detected System Information:
[05/23/2007, 14:14:28] - Windows Version: 5.1.2600, Service Pack 2
[05/23/2007, 14:14:28] - Current Username: Matt (Admin)
[05/23/2007, 14:14:28] - Windows is in NORMAL mode.
[05/23/2007, 14:14:28] - Searching for Browser Helper Objects:
[05/23/2007, 14:14:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/23/2007, 14:14:28] - BHO 2: {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} (CIEIntegrator Object)
[05/23/2007, 14:14:28] - BHO 3: {349B49E0-52BF-45F9-3FBB-EC5235BC18C9} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\lavulaza
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\lavulaza, continuing.
[05/23/2007, 14:14:28] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/23/2007, 14:14:28] - BHO 5: {9B3C6D23-15BC-4DDB-892F-690FB0440945} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\ddccy
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\ddccy, continuing.
[05/23/2007, 14:14:28] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/23/2007, 14:14:28] - BHO 7: {B40E4B67-D0DC-D37F-D90E-F9ADD9B072C4} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\yiytme
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\yiytme, continuing.
[05/23/2007, 14:14:28] - BHO 8: {B5141620-C2B2-4D95-9F0F-134D99C87AB0} (IEFW Object)
[05/23/2007, 14:14:28] - BHO 9: {FEE900ED-C147-4EE4-AB9D-49A8E4ACC06A} ()
[05/23/2007, 14:14:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/23/2007, 14:14:28] - Checking for HKLM\...\Winlogon\Notify\hokero
[05/23/2007, 14:14:28] - Key not found: HKLM\...\Winlogon\Notify\hokero, continuing.
[05/23/2007, 14:14:28] - Finished Searching Browser Helper Objects
[05/23/2007, 14:14:28] - Finishing up...
[05/23/2007, 14:14:28] - Nothing found! Exiting...

they seem like identical posts butt hey were two seperate runs...thanks again...Matt

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 30 May 2007 - 06:58 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum mistermatt516 :thumbsup:

Download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

********************

Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

********************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


********************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply.
Posted Image
Posted Image

#3 mistermatt516

mistermatt516
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 01 June 2007 - 06:17 PM

Thanks,,,,here's the hijacktis log////

Logfile of HijackThis v1.99.1
Scan saved at 7:12:41 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SpywareBot\SpywareBot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\PPPATC~1\userinit.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/WORLD/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\Matt\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\srtqtwem.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\PPPATC~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Menbcug] C:\WINDOWS\SYSTEM32\?icrosoft.NET\r?ndll.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Matt\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155946954585
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 02 June 2007 - 03:42 AM

Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

********************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


********************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users