Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I Keep On Getting The Winantivirus, System Doctor, Amaena, Errorsafe, Winfixer And Drivecleaner Pop-ups!


  • Please log in to reply
14 replies to this topic

#1 jayparmar

jayparmar

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 09 June 2007 - 05:52 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:40:58, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\USB Product Driver v2.33r005\shwicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jay\My Documents\stinger.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://uk.red.clientapps.yahoo.com/customi.../*http://uk.doc

s.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://uk.red.clientapps.yahoo.com/customi.../*http://uk.sea

rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=566...w.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://uk.red.clientapps.yahoo.com/customi.../*http://uk.sea

rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://uk.red.clientapps.yahoo.com/customi.../*http://uk.doc

s.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=566....microsoft.com/

isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://uk.red.clientapps.yahoo.com/customi.../*http://uk.sea

rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

(no file)
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program

Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShowIcon_JustRams_USB Product Driver v2.33r005] "C:\Program

Files\USB Product Driver v2.33r005\shwicon.exe" -t"JustRams\USB Product Driver

v2.33r005"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common

Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ApachInc] rundll32.exe

"C:\WINDOWS\system32\gpyukkgc.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"

--force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

(file missing)
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -

C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader

Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...lient/wuweb_sit

e.cab?1183645236314
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat.../client/muweb_s

ite.cab?1183646282823
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class)

- http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: syshelps - {0B4A1EA5-CCB4-4E71-A2D9-C9E6C70A2B6B} - syshelps.dll

(file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation

- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 jayparmar

jayparmar
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 09 June 2007 - 05:57 AM

Hi! I am new to all of this, and after much research (along with constant viruses and pop-ups) I thought this place looked very helpful. I have posted a HijackThis log, and hopefully someone can make something of it, please. I am so annoyed with AVG saying I have a new trojan found in my Local Settings/Temp file, and the System 32 folder too. So, if anyone out there can, please do help me!!! :thumbsup:

As stated in the title, I keep on recieving pop-ups about WinAntiVirus 2007 and SystemDoctor!!! I don't know what to do!!!

Edited by jayparmar, 09 June 2007 - 06:03 AM.


#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 09 June 2007 - 06:05 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jayparmar :thumbsup:

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

******************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


******************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#4 jayparmar

jayparmar
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 09 June 2007 - 07:31 AM

Thanks for your help! But...Another problem! I was innocently chatting using Windows Live Messenger, when I recieved an invitation to accept a file called 'photos.zip', from one of my contacts. I stupidly extracted it and double-clicked on some sort of anonymous file, I think it was called 'webcam_photos_2007_screensaver' or something along those line...

Anyway, at random times, the worm opens up all my online contacts and attempts to send them the 'photos.zip' file, along with a message saying something like 'these are my holiday pictures', and lot of other things.

I have deleted everything to do with photos.zip, and run my AVG virus scanner, where it picks up trojans ( but I believe that is something to do with WinFixer and the WinAntiVirusPro2007 business, which I am currently sorting out). I have run Spybot, McAfee Stinger, but nothing.

HELP?!?!

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 09 June 2007 - 07:35 AM

Follow the instructions above please.
Posted Image
Posted Image

#6 jayparmar

jayparmar
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 09 June 2007 - 07:57 AM

Yes - sorry, I was just getting my information out all in one go.

I ran the VundoFix program, and it got rid of a lt of DLLs.

****************************************************

Okay, so:

Here is the HijackThis Log File:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:58, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\USB Product Driver v2.33r005\shwicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jay\My Documents\stinger.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...w.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShowIcon_JustRams_USB Product Driver v2.33r005] "C:\Program Files\USB Product Driver v2.33r005\shwicon.exe" -t"JustRams\USB Product Driver v2.33r005"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\gpyukkgc.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1183645236314
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1183646282823
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: syshelps - {0B4A1EA5-CCB4-4E71-A2D9-C9E6C70A2B6B} - syshelps.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

and here is the ComboFix Log:

ComboFix 07-06-09.4 - C:\Documents and Settings\Jay\Desktop\ComboFix.exe
"Jay" - 2007-06-09 13:29:05 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\olpmcbru.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 13:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 12:06 <DIR> d-------- C:\VundoFix Backups
2007-06-08 20:45 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-08 20:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-06-08 20:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-08 19:02 58,420 --a------ C:\WINDOWS\SYSTEM32\aungclmx.dll
2007-06-05 19:50 14,868 --a------ C:\WINDOWS\SYSTEM32\hftxknuk.exe
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AWRTPD.sys
2007-05-31 18:20 <DIR> d-------- C:\DOCUME~1\Jay\APPLIC~1\Skype
2007-05-31 18:16 <DIR> d-------- C:\Program Files\Skype
2007-05-31 18:16 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-05-31 18:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Skype
2007-05-31 16:54 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-05-29 18:10 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-28 15:33 <DIR> d-------- C:\DOCUME~1\Jay\Program Files
2007-05-27 11:21 <DIR> d-------- C:\ConvertTemp
2007-05-27 11:19 <DIR> d-------- C:\DOCUME~1\Dilip\APPLIC~1\Samsung
2007-05-27 11:18 94,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ss_mdm.sys
2007-05-27 11:18 8,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ss_mdfl.sys
2007-05-27 11:18 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ss_cmnt.sys
2007-05-27 11:18 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ss_cm.sys
2007-05-27 11:18 58,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ss_bus.sys
2007-05-27 11:18 5,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ss_whnt.sys
2007-05-27 11:18 5,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ss_wh.sys
2007-05-27 11:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\Samsung_USB_Drivers
2007-05-27 11:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\Samsung PC Studio Codecs
2007-05-27 11:17 <DIR> d-------- C:\Program Files\Samsung
2007-05-26 09:24 <DIR> d-------- C:\Program Files\Xilisoft
2007-05-23 20:42 <DIR> d-------- C:\DOCUME~1\Dilip\APPLIC~1\Real
2007-05-21 20:10 192,000 --a------ C:\WINDOWS\Life On Mars 02.scr
2007-05-21 20:10 <DIR> d-------- C:\WINDOWS\Life On Mars 02 dir
2007-05-21 20:09 535,040 --a------ C:\WINDOWS\flashax.exe
2007-05-21 20:09 12,288 --a------ C:\WINDOWS\impborl.dll
2007-05-15 20:48 254,976 --a------ C:\WINDOWS\xaudio.dll
2007-05-15 20:48 <DIR> d-------- C:\Program Files\Easy MP3 To WAV
2007-05-15 20:45 <DIR> d-------- C:\DOCUME~1\Jay\APPLIC~1\OpenOffice.org2
2007-05-15 20:40 <DIR> d-------- C:\Program Files\MP3 to WAV Decoder
2007-05-15 20:04 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2
2007-05-15 19:52 <DIR> d-------- C:\Program Files\MIKSOFT
2007-05-14 20:44 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-05-14 20:41 <DIR> d-------- C:\Program Files\Common Files\Real
2007-05-14 20:40 <DIR> d-------- C:\Program Files\Real
2007-05-14 20:39 <DIR> d-------- C:\DOCUME~1\Jay\APPLIC~1\Real
2007-05-13 09:14 <DIR> d-------- C:\DOCUME~1\Dilip\APPLIC~1\Talkback
2007-05-12 16:39 <DIR> d-------- C:\DOCUME~1\Jay\APPLIC~1\DivX
2007-05-12 16:35 2,560 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2007-05-12 16:35 2,432 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-05-12 16:35 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-05-12 16:35 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-05-12 16:35 116,472 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-05-12 16:34 <DIR> d-------- C:\Program Files\DivX
2007-05-12 15:19 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-12 15:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-05-11 19:54 <DIR> d-------- C:\Program Files\Save Flash
2007-05-11 19:20 69,632 --a------ C:\WINDOWS\SYSTEM32\lfgif13n.dll
2007-05-11 19:20 57,344 --a------ C:\WINDOWS\SYSTEM32\lfbmp13n.dll
2007-05-11 19:20 55,808 --a------ C:\WINDOWS\SYSTEM32\lfpsd13n.dll
2007-05-11 19:20 462,848 --a------ C:\WINDOWS\SYSTEM32\ltkrn13n.dll
2007-05-11 19:20 450,560 --a------ C:\WINDOWS\SYSTEM32\ltimg13n.dll
2007-05-11 19:20 401,408 --a------ C:\WINDOWS\SYSTEM32\lfcmp13n.dll
2007-05-11 19:20 299,008 --a------ C:\WINDOWS\SYSTEM32\ltdis13n.dll
2007-05-11 19:20 206,336 --a------ C:\WINDOWS\SYSTEM32\ltefx13n.dll
2007-05-11 19:20 163,840 --a------ C:\WINDOWS\SYSTEM32\ltfil13n.dll
2007-05-11 18:54 524,288 --a------ C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-05-11 05:37 802,816 --a------ C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-05-11 05:37 740,442 --a------ C:\WINDOWS\SYSTEM32\DivX.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 14:39:58 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\Talkback
2007-07-05 13:56:50 -------- d-----w C:\Program Files\Common Files\Scanner
2007-07-05 13:54:46 -------- d-----w C:\Program Files\Yahoo!
2007-07-05 13:48:10 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-06-05 17:42:50 2,068 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-31 15:56:44 1,310 ----a-w C:\WINDOWS\mozver.dat
2007-05-15 20:12:18 156,416 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-05-08 21:07:44 196,732 ----a-w C:\WINDOWS\hpoins06.dat
2007-05-08 19:36:00 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-08 18:22:20 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\uTorrent
2007-05-07 21:28:22 -------- d-----w C:\Program Files\Nero
2007-05-07 21:28:20 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-07 19:21:44 -------- d-----w C:\Program Files\Elaborate Bytes
2007-05-07 18:28:26 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\SlySoft
2007-05-07 18:26:16 -------- d-----w C:\Program Files\SlySoft
2007-05-06 19:25:20 -------- d-----w C:\Program Files\Microsoft Works
2007-05-06 18:50:20 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\BitTorrent
2007-05-06 18:49:48 -------- d-----w C:\Program Files\BitTorrent
2007-05-06 18:48:42 -------- d-----w C:\Program Files\Musicnotes
2007-05-06 16:25:44 -------- d-----w C:\Program Files\DVDVIDEOSOFT
2007-05-06 15:03:50 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\vlc
2007-05-06 14:56:50 -------- d-----w C:\Program Files\VideoLAN
2007-05-06 14:45:08 -------- d-----w C:\Program Files\Sibelius Software
2007-05-06 14:12:42 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-05 20:54:42 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\LimeWire
2007-05-05 20:48:52 -------- d-----w C:\Program Files\LimeWire
2007-05-05 20:42:04 -------- d-----w C:\Program Files\iTunes
2007-05-05 20:38:36 -------- d-----w C:\Program Files\QuickTime
2007-05-05 20:34:38 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-05 20:33:48 -------- d-----w C:\Program Files\Apple Software Update
2007-05-05 19:46:28 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\Screenshot Sender
2007-05-05 19:44:36 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-05 19:13:44 -------- d-----w C:\Program Files\MSN Messenger
2007-05-05 18:17:22 -------- d-----w C:\Program Files\btbb_wcm
2007-05-05 18:16:02 -------- d-----w C:\Program Files\BT Home Hub
2007-04-23 00:15:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:26 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:36 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:34 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:32 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:32 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:32 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:32 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:48 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-23 00:01:48 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 14:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-04-05 10:48:42 1,664 ----a-w C:\DOCUME~1\Jay\APPLIC~1\ViewerApp.dat
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 18:27:58 972,336 ----a-w C:\WINDOWS\UNRecode.exe
2007-03-14 18:19:56 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-03-14 18:19:26 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
2007-03-12 12:51:08 972,336 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-03-09 00:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe
2007-03-09 00:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5F603D54-8A2B-4C52-8611-2433ED375C3A}=C:\WINDOWS\system32\ljhgg.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\aungclmx.dll [2007-06-08 19:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfSaver3"="" []
"CmUsbSound"="cmcnfgu.cpl" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"ShowIcon_JustRams_USB Product Driver v2.33r005"="C:\Program Files\USB Product Driver v2.33r005\shwicon.exe" [2005-04-22 11:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-05 20:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-14 20:41]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eyeBeam SIP Client"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{0B4A1EA5-CCB4-4E71-A2D9-C9E6C70A2B6B}"="syshelps.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffffg]
khffffg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a357ab31-ac66-11db-8a8f-c1999717e400}]
AutoRun\command- F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe


Contents of the 'Scheduled Tasks' folder
2007-05-05 20:34:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 11:00:02 C:\WINDOWS\tasks\HPpromotions journeysoftware.job
2007-06-09 12:39:00 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 13:36:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 13:41:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 13:39

--- E O F ---

**************************************************************************

Hope it is useful to you!

Edited by jayparmar, 09 June 2007 - 07:58 AM.


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 09 June 2007 - 10:05 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\SYSTEM32\aungclmx.dll
C:\WINDOWS\SYSTEM32\hftxknuk.exe
C:\WINDOWS\flashax.exe
C:\WINDOWS\system32\gpyukkgc.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*****************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to xyz.bat
Double click on xyz.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#8 jayparmar

jayparmar
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 10 June 2007 - 02:47 AM

Hi! Just finished the Avenger ad HijackThis business...

Avenger Log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wrjdflvg

*******************

Script file located at: \??\C:\WINDOWS\nhlrwoki.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\aungclmx.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\hftxknuk.exe deleted successfully.
File C:\WINDOWS\flashax.exe deleted successfully.


File C:\WINDOWS\system32\gpyukkgc.dll not found!
Deletion of file C:\WINDOWS\system32\gpyukkgc.dll failed!

Could not process line:
C:\WINDOWS\system32\gpyukkgc.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.





HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 08:38:45, on 10/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\USB Product Driver v2.33r005\shwicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\xyz.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...w.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F603D54-8A2B-4C52-8611-2433ED375C3A} - C:\WINDOWS\system32\ljhgg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\aungclmx.dll (file missing)
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShowIcon_JustRams_USB Product Driver v2.33r005] "C:\Program Files\USB Product Driver v2.33r005\shwicon.exe" -t"JustRams\USB Product Driver v2.33r005"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1183645236314
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1183646282823
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khffffg - khffffg.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: syshelps - {0B4A1EA5-CCB4-4E71-A2D9-C9E6C70A2B6B} - syshelps.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe





Thanks again for the help!

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 10 June 2007 - 07:36 AM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {5F603D54-8A2B-4C52-8611-2433ED375C3A} - C:\WINDOWS\system32\ljhgg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\aungclmx.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: khffffg - khffffg.dll (file missing)
O21 - SSODL: syshelps - {0B4A1EA5-CCB4-4E71-A2D9-C9E6C70A2B6B} - syshelps.dll (file missing)

Exit Hijackthis.

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log please.
Let me know how your pc is running now.

Posted Image
Posted Image

#10 jayparmar

jayparmar
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 21 June 2007 - 04:49 PM

Hi again! I am extremely sorry about not replying-i do appreciate what u are doing!

I use a wireless keyboard, which doesnt activate until log on screen! So basically u cant prss F8! I have had a few GCSEs lately so have been very busy. Anyway, the computer seems to be running very well, without viruses and what not. Unfortunately, i have a second computer, which has had the same problem for ages. I will do the necassary stuff so it can be analysed! Thanks again - you are a tru godsend-sorry for not replying. Please fix me and my second computer!!!

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 21 June 2007 - 04:59 PM

If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix
Avenger

C:\VundoFix Backups
C:\Avenger
C:\QooBox

-----------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-----------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Once you've completed the above,post a Hijackthis log into this topic for your second pc.

:thumbsup:
Posted Image
Posted Image

#12 jayparmar

jayparmar
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 22 June 2007 - 05:30 PM

Okay-awful lot of dll's and whatnots...

Can you make anything of it please?
Logfile of HijackThis v1.99.1
Scan saved at 11:24:58 PM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\xihodhrv.exe
C:\Program Files\honestech Video Editor 7.0 Trial\honestechVideoEditor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINNT\system32\qebwwhul.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SIM] "C:\Program Files\SIM\sim.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by126w.bay126.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165391024600
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161133931844
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://sympatico.zone.msn.com/bingame/zpag...rp.cab56961.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

----------------------------------------------------------------------------------------------------------------------------------------

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 22 June 2007 - 05:47 PM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


*************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#14 jayparmar

jayparmar
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 27 June 2007 - 01:16 PM

"Jay" - 2007-06-27 18:47:55 - ComboFix 07-06-28 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\bcjedtok.dll
C:\WINNT\system32\bubbsrxm.dll
C:\WINNT\system32\gdmkquao.dll
C:\WINNT\system32\gnseqguv.dll
C:\WINNT\system32\hggfcdb.dll
C:\WINNT\system32\hgggggd.dll
C:\WINNT\system32\iiffcdc.dll
C:\WINNT\system32\kvuvcppp.dll
C:\WINNT\system32\lpkeqdng.dll
C:\WINNT\system32\npbpyeut.dll
C:\WINNT\system32\oopqduds.dll
C:\WINNT\system32\pmnonol.dll
C:\WINNT\system32\stsrgsrf.dll
C:\WINNT\system32\urqrppq.dll
C:\WINNT\system32\wvuvuvu.dll
C:\WINNT\system32\xxyabcb.dll
C:\WINNT\system32\ykbwkecw.dll
C:\WINNT\system32\vugqesng.ini
C:\WINNT\system32\tueypbpn.ini
C:\WINNT\system32\tuwxx.bak1
C:\WINNT\system32\tuwxx.bak2
C:\WINNT\system32\tuwxx.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Jay\APPLIC~1.\macromedia\Flash Player\#SharedObjects\9VK5VUFL\www.broadcaster.com
C:\DOCUME~1\Jay\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Jay\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\vsadd-in


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))


2007-06-27 18:47 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-27 18:20 <DIR> d-------- C:\VundoFix Backups
2007-06-22 22:21 4,628 --a------ C:\WINNT\system32\xihodhrv.exe
2007-06-22 22:14 <DIR> d-------- C:\Program Files\ImTOO
2007-06-22 21:42 <DIR> d-------- C:\Program Files\uTorrent
2007-06-22 21:29 <DIR> d-------- C:\Program Files\honestech Video Editor 7.0 Trial
2007-06-21 23:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-21 23:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-06-21 23:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-21 23:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-06-19 22:03 187,392 --a------ C:\WINNT\system32\JPGUtils.dll
2007-06-19 22:03 <DIR> d-------- C:\Program Files\WinCustomize
2007-06-19 22:03 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-06-16 16:38 <DIR> d-------- C:\Program Files\Windows Live
2007-06-15 22:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-09 23:06 <DIR> d-------- C:\DOCUME~1\Jay\APPLIC~1\uTorrent
2007-06-05 14:07 <DIR> d-------- C:\Program Files\AdventNet
2007-06-05 13:09 75,512 --a------ C:\WINNT\zllsputility.exe
2007-06-05 13:08 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-06-04 15:18 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
2007-05-31 08:17 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 20:30:55 -------- d-----w C:\Program Files\Common Files\Macromedia Shared
2007-07-12 06:56:42 -------- d---a-w C:\Program Files\Google
2007-07-12 06:50:40 -------- d---a-w C:\Program Files\Yahoo!
2007-07-12 06:37:04 -------- d-----w C:\Program Files\AviSynth 2.5
2007-06-22 20:29:16 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-21 21:24:56 1,015,296 ----a-w C:\WINNT\system32\logonuiX.exe
2007-06-16 15:38:46 -------- d---a-w C:\Program Files\Messenger Plus! Live
2007-06-15 21:07:12 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\LimeWire
2007-06-05 12:12:12 4,212 ---h--w C:\WINNT\system32\zllictbl.dat
2007-05-31 08:37:07 -------- d-----w C:\DOCUME~1\Jay\APPLIC~1\OpenOffice.org2
2007-05-31 07:12:33 -------- d-----w C:\Program Files\OpenOffice.org 2.1
2007-05-16 15:12:02 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINNT\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-13 14:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2007-04-11 09:37:00 2,368 ----a-w C:\WINNT\system32\SVKP.sys
2007-04-05 14:46:20 39,424 -c--a-w C:\WINNT\zipinst.exe
2007-04-05 13:56:35 1,168 -c--a-w C:\WINNT\mozver.dat
2007-04-01 21:31:29 31,844 ------w C:\WINNT\system32\ssqpo.exe
2007-03-29 09:06:25 31,844 ------w C:\WINNT\system32\mllkj.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1F67EA02-2AD2-49F8-AB3A-B9554A26086A}=C:\WINNT\system32\rqrrs.dll []
{535659DA-D1D9-48F6-AE8F-65528A49192C}=C:\WINNT\system32\xxwut.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-05-31 07:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2004-08-04 01:56 C:\WINNT\system32\mobsync.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-01 20:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-31 07:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 10:28]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIM"="C:\Program Files\SIM\sim.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]
"eyeBeam SIP Client"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnolml]
opnolml.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14c8ca93-7c73-11db-b358-0002a5be6c3a}]
AutoRun\command- E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe


Contents of the 'Scheduled Tasks' folder
2007-07-12 06:53:08 C:\WINNT\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 18:57:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [5672]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 19:00:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-27 19:00

--- E O F ---

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 27 June 2007 - 02:23 PM

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Could you also do the above as requested.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users