Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several Popups From Cpvfeed And System Gets Very Slow


  • This topic is locked This topic is locked
13 replies to this topic

#1 vjaybm

vjaybm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 23 June 2007 - 09:30 PM

Hi,

When I open my Internet explorer, suddenly several windows popup and systems almost hangs. There are several windows being opened by url.cpvfeed.

The hijackthis file is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:21 PM, on 6/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\cfg32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.k8l.info/media/servlet/view/dyn...TTC=6&GNW=0
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [{B5-5F-F4-4F-ZN}] C:\windows\system32\modsregl.exe CHD003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\kehtdock.dll",realset
O4 - HKLM\..\RunOnce: [SpybotDeletingA9649] command /c del "C:\WINDOWS\cfg32o.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2887] cmd /c del "C:\WINDOWS\cfg32o.dll_tobedeleted_old"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6693] command /c del "C:\WINDOWS\cfg32o.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3885] cmd /c del "C:\WINDOWS\cfg32o.dll_tobedeleted_old"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\myuqwncj.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)

----------------------------------------

Please help me get rid of these popups and cpvfeed.

-Vijay

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 23 June 2007 - 11:10 PM

Hello Vijay,


I am SifuMike and I will be helping you.

Before we start, you need to realize that you are missing one important program on that computer: An antivirus. :thumbsup:

I am sure that that is the reason you are infected now. :flowers:

This is somewhat suicidal in today's digital world.


You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus


Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 23 June 2007 - 11:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 vjaybm

vjaybm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 24 June 2007 - 10:56 AM

Hi SifuMike,

Thanks for the kind help. I have installed Avast! anti virus now.

The combofix file is as follows:

"jyoti" - 2007-06-24 11:21:20 - ComboFix 07-06-23.5 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wbswelht.dll
C:\WINDOWS\system32\mlwpniyt.dll
C:\WINDOWS\system32\rweyvjwp.dll
C:\WINDOWS\system32\nkpvvxjg.dll
C:\WINDOWS\system32\rhcubfeu.dll
C:\WINDOWS\system32\xpfqjlap.dll
C:\WINDOWS\system32\fktwynbx.dll
C:\WINDOWS\system32\kinkexar.dll
C:\WINDOWS\system32\jgkwsqjq.dll
C:\WINDOWS\system32\fvkaweqr.dll
C:\WINDOWS\system32\mlpbgsnu.dll
C:\WINDOWS\system32\qvhwwqfk.dll
C:\WINDOWS\system32\awhbreon.dll
C:\WINDOWS\system32\bcnpeorc.dll
C:\WINDOWS\system32\rdqupdpt.dll
C:\WINDOWS\system32\ggtcqekm.dll
C:\WINDOWS\system32\cljvwfnd.dll
C:\WINDOWS\system32\yfqrepnh.dll
C:\WINDOWS\system32\kopjvfhs.dll
C:\WINDOWS\system32\kjhhydgf.dll
C:\WINDOWS\system32\cbasdper.dll
C:\WINDOWS\system32\mcqtjfbj.dll
C:\WINDOWS\system32\loejbjjg.dll
C:\WINDOWS\system32\jifkaayl.dll
C:\WINDOWS\system32\thlewsbw.ini
C:\WINDOWS\system32\tyinpwlm.ini
C:\WINDOWS\system32\pwjvyewr.ini
C:\WINDOWS\system32\gjxvvpkn.ini
C:\WINDOWS\system32\uefbuchr.ini
C:\WINDOWS\system32\paljqfpx.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\raxeknik.ini
C:\WINDOWS\system32\unsgbplm.ini
C:\WINDOWS\system32\noerbhwa.ini
C:\WINDOWS\system32\croepncb.ini
C:\WINDOWS\system32\tpdpuqdr.ini
C:\WINDOWS\system32\mkeqctgg.ini
C:\WINDOWS\system32\dnfwvjlc.ini
C:\WINDOWS\system32\shfvjpok.ini
C:\WINDOWS\system32\fgdyhhjk.ini
C:\WINDOWS\system32\repdsabc.ini
C:\WINDOWS\system32\jbfjtqcm.ini
C:\WINDOWS\system32\gjjbjeol.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\pmnllmn.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\SalesMonitor
C:\Program Files\Common Files\mantec~1
C:\Program Files\ipwindows
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\racle~1
C:\WINDOWS\rau001978.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\300NE26b.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\oipJlt6U.exe
C:\WINDOWS\system32\owinpndt.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\rdt3T0UL.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T7\wb22.exe
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At49.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At50.job
C:\WINDOWS\tasks\At51.job
C:\WINDOWS\tasks\At52.job
C:\WINDOWS\tasks\At53.job
C:\WINDOWS\tasks\At54.job
C:\WINDOWS\tasks\At55.job
C:\WINDOWS\tasks\At56.job
C:\WINDOWS\tasks\At57.job
C:\WINDOWS\tasks\At58.job
C:\WINDOWS\tasks\At59.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At60.job
C:\WINDOWS\tasks\At61.job
C:\WINDOWS\tasks\At62.job
C:\WINDOWS\tasks\At63.job
C:\WINDOWS\tasks\At64.job
C:\WINDOWS\tasks\At65.job
C:\WINDOWS\tasks\At66.job
C:\WINDOWS\tasks\At67.job
C:\WINDOWS\tasks\At68.job
C:\WINDOWS\tasks\At69.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At70.job
C:\WINDOWS\tasks\At71.job
C:\WINDOWS\tasks\At72.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-24 11:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 11:16 122,900 --a------ C:\WINDOWS\system32\bnkccekm.exe
2007-06-24 11:14 916 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-24 11:10 49,178 --a------ C:\WINDOWS\system32\modsregl.exe
2007-06-24 10:57 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-24 10:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-24 10:57 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-24 10:57 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-24 10:56 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-24 10:56 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-24 10:56 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-24 10:56 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-24 10:53 122,900 --a------ C:\WINDOWS\system32\vedjjyer.exe
2007-06-24 10:52 49,152 --a------ C:\WINDOWS\itpb_11.exe
2007-06-23 21:38 122,900 --a------ C:\WINDOWS\system32\dlpyjhmq.exe
2007-06-23 21:06 122,900 --a------ C:\WINDOWS\system32\uvtalcky.exe
2007-06-23 21:01 122,900 --a------ C:\WINDOWS\system32\okmgodvn.exe
2007-06-23 19:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 19:38 122,900 --a------ C:\WINDOWS\system32\lsjvabbq.exe
2007-06-23 19:34 <DIR> d--hs---- C:\FOUND.001
2007-06-23 19:12 122,900 --a------ C:\WINDOWS\system32\jcuwxskd.exe
2007-06-23 19:04 122,900 --a------ C:\WINDOWS\system32\fmrllwif.exe
2007-06-23 18:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-23 18:41 2,580 --a------ C:\WINDOWS\system32\lbooqnaj.exe
2007-06-23 18:36 4,628 --a------ C:\WINDOWS\system32\wepiiiel.exe
2007-06-23 18:36 122,900 --a------ C:\WINDOWS\system32\cmbjjixj.exe
2007-06-23 18:34 122,900 --a------ C:\WINDOWS\system32\rdmfjybt.exe
2007-06-23 18:34 <DIR> d-------- C:\DOCUME~1\jyoti\APPLIC~1\Yahoo!
2007-06-23 18:30 786,432 --ah----- C:\DOCUME~1\jyoti\NTUSER.DAT
2007-06-23 18:28 122,900 --a------ C:\WINDOWS\system32\psgllrvj.exe
2007-06-23 18:16 122,900 --a------ C:\WINDOWS\system32\xjujppcc.exe
2007-06-23 17:59 122,880 --a------ C:\WINDOWS\xmlhelper2.dll
2007-06-22 23:56 4,628 --a------ C:\WINDOWS\system32\nljbpcmk.exe
2007-06-19 10:13 122,880 --a------ C:\WINDOWS\xmlhelper.dll
2007-06-12 20:33 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-06-12 20:32 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-06-12 20:32 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-06-12 20:32 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-06-12 20:31 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-06-12 20:31 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-06-12 20:31 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-06-12 20:29 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-06-12 20:29 39,424 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-12 20:29 380,928 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-12 20:29 287,360 -ra------ C:\WINDOWS\system32\drivers\LV561AV.SYS
2007-06-12 20:29 217,088 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-06-12 20:29 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-12 20:29 2,112 -ra------ C:\WINDOWS\system32\Repository.reg
2007-06-12 20:29 110,592 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-06-12 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-12 19:55 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-11 23:20 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-11 23:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-11 23:20 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-11 20:40 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-11 20:37 <DIR> d-------- C:\Program Files\Nero
2007-06-11 18:53 <DIR> d-------- C:\anti-virus
2007-06-11 18:09 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-11 18:02 <DIR> d--hs---- C:\FOUND.000
2007-06-10 20:17 <DIR> d--hs---- C:\UWA7P
2007-06-10 18:21 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-10 18:21 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-10 18:21 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-10 18:21 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-10 18:21 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-10 18:21 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-10 18:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-10 18:09 <DIR> d-------- C:\Temp\x2b
2007-06-10 18:09 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll [2007-06-23 17:59]
{C4B71525-63DA-49E7-8298-49AA49AE9D93}=C:\Program Files\support.com\lawu.dll []
{E99F508C-DAC6-4020-B612-BE26FAADC64A}=C:\Program Files\Windows NT\holenusa.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12]


Contents of the 'Scheduled Tasks' folder
2007-06-24 07:00:02 C:\WINDOWS\tasks\At1.job

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wbswelht.dll
C:\WINDOWS\system32\mlwpniyt.dll
C:\WINDOWS\system32\rweyvjwp.dll
C:\WINDOWS\system32\nkpvvxjg.dll
C:\WINDOWS\system32\rhcubfeu.dll
C:\WINDOWS\system32\xpfqjlap.dll
C:\WINDOWS\system32\fktwynbx.dll
C:\WINDOWS\system32\kinkexar.dll
C:\WINDOWS\system32\jgkwsqjq.dll
C:\WINDOWS\system32\fvkaweqr.dll
C:\WINDOWS\system32\mlpbgsnu.dll
C:\WINDOWS\system32\qvhwwqfk.dll
C:\WINDOWS\system32\awhbreon.dll
C:\WINDOWS\system32\bcnpeorc.dll
C:\WINDOWS\system32\rdqupdpt.dll
C:\WINDOWS\system32\ggtcqekm.dll
C:\WINDOWS\system32\cljvwfnd.dll
C:\WINDOWS\system32\yfqrepnh.dll
C:\WINDOWS\system32\kopjvfhs.dll
C:\WINDOWS\system32\kjhhydgf.dll
C:\WINDOWS\system32\cbasdper.dll
C:\WINDOWS\system32\mcqtjfbj.dll
C:\WINDOWS\system32\loejbjjg.dll
C:\WINDOWS\system32\jifkaayl.dll
C:\WINDOWS\system32\thlewsbw.ini
C:\WINDOWS\system32\tyinpwlm.ini
C:\WINDOWS\system32\pwjvyewr.ini
C:\WINDOWS\system32\gjxvvpkn.ini
C:\WINDOWS\system32\uefbuchr.ini
C:\WINDOWS\system32\paljqfpx.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\raxeknik.ini
C:\WINDOWS\system32\unsgbplm.ini
C:\WINDOWS\system32\noerbhwa.ini
C:\WINDOWS\system32\croepncb.ini
C:\WINDOWS\system32\tpdpuqdr.ini
C:\WINDOWS\system32\mkeqctgg.ini
C:\WINDOWS\system32\dnfwvjlc.ini
C:\WINDOWS\system32\shfvjpok.ini
C:\WINDOWS\system32\fgdyhhjk.ini
C:\WINDOWS\system32\repdsabc.ini
C:\WINDOWS\system32\jbfjtqcm.ini
C:\WINDOWS\system32\gjjbjeol.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\pmnllmn.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\SalesMonitor
C:\Program Files\Common Files\mantec~1
C:\Program Files\ipwindows
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\racle~1
C:\WINDOWS\rau001978.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\300NE26b.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\oipJlt6U.exe
C:\WINDOWS\system32\owinpndt.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\rdt3T0UL.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T7\wb22.exe
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At49.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At50.job
C:\WINDOWS\tasks\At51.job
C:\WINDOWS\tasks\At52.job
C:\WINDOWS\tasks\At53.job
C:\WINDOWS\tasks\At54.job
C:\WINDOWS\tasks\At55.job
C:\WINDOWS\tasks\At56.job
C:\WINDOWS\tasks\At57.job
C:\WINDOWS\tasks\At58.job
C:\WINDOWS\tasks\At59.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At60.job
C:\WINDOWS\tasks\At61.job
C:\WINDOWS\tasks\At62.job
C:\WINDOWS\tasks\At63.job
C:\WINDOWS\tasks\At64.job
C:\WINDOWS\tasks\At65.job
C:\WINDOWS\tasks\At66.job
C:\WINDOWS\tasks\At67.job
C:\WINDOWS\tasks\At68.job
C:\WINDOWS\tasks\At69.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At70.job
C:\WINDOWS\tasks\At71.job
C:\WINDOWS\tasks\At72.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-11 23:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll [2007-06-23 17:59]
{C4B71525-63DA-49E7-8298-49AA49AE9D93}=C:\Program Files\support.com\lawu.dll []
{E99F508C-DAC6-4020-B612-BE26FAADC64A}=C:\Program Files\Windows NT\holenusa.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12]


Contents of the 'Scheduled Tasks' folder
2007-06-24 07:00:02 C:\WINDOWS\tasks\At1.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 11:46:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 11:47:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 11:47

--- E O F ---


The Hijackthis file is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:18 AM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.k8l.info/media/servlet/view/dyn...TTC=6&GNW=0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O2 - BHO: 0 - {C4B71525-63DA-49E7-8298-49AA49AE9D93} - C:\Program Files\support.com\lawu.dll (file missing)
O2 - BHO: (no name) - {E99F508C-DAC6-4020-B612-BE26FAADC64A} - C:\Program Files\Windows NT\holenusa.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

----------------------------------------------------------------


Kindly let me know what should I do next.

Regards,
Vijay

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 24 June 2007 - 11:44 AM

Hi Hi Vijay,

Looks like you are still heavily infected with malware. :thumbsup:

Run these two scanners, they should remove most (if not all) of it.


You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

    Scan with AVG Anti-Spyware as follows:[list]
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.


Run ComboFix again, and post the ComboFix log.

When done, submit the the ComboFix log, BitDefender log, the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.

Edited by SifuMike, 26 June 2007 - 09:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 vjaybm

vjaybm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 24 June 2007 - 05:45 PM

SifuMike,

Here are the log files:

COMBOFIX LOG:

"jyoti" - 2007-06-24 11:21:20 - ComboFix 07-06-23.5 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wbswelht.dll
C:\WINDOWS\system32\mlwpniyt.dll
C:\WINDOWS\system32\rweyvjwp.dll
C:\WINDOWS\system32\nkpvvxjg.dll
C:\WINDOWS\system32\rhcubfeu.dll
C:\WINDOWS\system32\xpfqjlap.dll
C:\WINDOWS\system32\fktwynbx.dll
C:\WINDOWS\system32\kinkexar.dll
C:\WINDOWS\system32\jgkwsqjq.dll
C:\WINDOWS\system32\fvkaweqr.dll
C:\WINDOWS\system32\mlpbgsnu.dll
C:\WINDOWS\system32\qvhwwqfk.dll
C:\WINDOWS\system32\awhbreon.dll
C:\WINDOWS\system32\bcnpeorc.dll
C:\WINDOWS\system32\rdqupdpt.dll
C:\WINDOWS\system32\ggtcqekm.dll
C:\WINDOWS\system32\cljvwfnd.dll
C:\WINDOWS\system32\yfqrepnh.dll
C:\WINDOWS\system32\kopjvfhs.dll
C:\WINDOWS\system32\kjhhydgf.dll
C:\WINDOWS\system32\cbasdper.dll
C:\WINDOWS\system32\mcqtjfbj.dll
C:\WINDOWS\system32\loejbjjg.dll
C:\WINDOWS\system32\jifkaayl.dll
C:\WINDOWS\system32\thlewsbw.ini
C:\WINDOWS\system32\tyinpwlm.ini
C:\WINDOWS\system32\pwjvyewr.ini
C:\WINDOWS\system32\gjxvvpkn.ini
C:\WINDOWS\system32\uefbuchr.ini
C:\WINDOWS\system32\paljqfpx.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\raxeknik.ini
C:\WINDOWS\system32\unsgbplm.ini
C:\WINDOWS\system32\noerbhwa.ini
C:\WINDOWS\system32\croepncb.ini
C:\WINDOWS\system32\tpdpuqdr.ini
C:\WINDOWS\system32\mkeqctgg.ini
C:\WINDOWS\system32\dnfwvjlc.ini
C:\WINDOWS\system32\shfvjpok.ini
C:\WINDOWS\system32\fgdyhhjk.ini
C:\WINDOWS\system32\repdsabc.ini
C:\WINDOWS\system32\jbfjtqcm.ini
C:\WINDOWS\system32\gjjbjeol.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\pmnllmn.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\SalesMonitor
C:\Program Files\Common Files\mantec~1
C:\Program Files\ipwindows
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\racle~1
C:\WINDOWS\rau001978.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\300NE26b.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\oipJlt6U.exe
C:\WINDOWS\system32\owinpndt.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\rdt3T0UL.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T7\wb22.exe
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At49.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At50.job
C:\WINDOWS\tasks\At51.job
C:\WINDOWS\tasks\At52.job
C:\WINDOWS\tasks\At53.job
C:\WINDOWS\tasks\At54.job
C:\WINDOWS\tasks\At55.job
C:\WINDOWS\tasks\At56.job
C:\WINDOWS\tasks\At57.job
C:\WINDOWS\tasks\At58.job
C:\WINDOWS\tasks\At59.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At60.job
C:\WINDOWS\tasks\At61.job
C:\WINDOWS\tasks\At62.job
C:\WINDOWS\tasks\At63.job
C:\WINDOWS\tasks\At64.job
C:\WINDOWS\tasks\At65.job
C:\WINDOWS\tasks\At66.job
C:\WINDOWS\tasks\At67.job
C:\WINDOWS\tasks\At68.job
C:\WINDOWS\tasks\At69.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At70.job
C:\WINDOWS\tasks\At71.job
C:\WINDOWS\tasks\At72.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-24 11:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 11:16 122,900 --a------ C:\WINDOWS\system32\bnkccekm.exe
2007-06-24 11:14 916 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-24 11:10 49,178 --a------ C:\WINDOWS\system32\modsregl.exe
2007-06-24 10:57 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-24 10:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-24 10:57 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-24 10:57 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-24 10:56 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-24 10:56 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-24 10:56 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-24 10:56 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-24 10:53 122,900 --a------ C:\WINDOWS\system32\vedjjyer.exe
2007-06-24 10:52 49,152 --a------ C:\WINDOWS\itpb_11.exe
2007-06-23 21:38 122,900 --a------ C:\WINDOWS\system32\dlpyjhmq.exe
2007-06-23 21:06 122,900 --a------ C:\WINDOWS\system32\uvtalcky.exe
2007-06-23 21:01 122,900 --a------ C:\WINDOWS\system32\okmgodvn.exe
2007-06-23 19:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 19:38 122,900 --a------ C:\WINDOWS\system32\lsjvabbq.exe
2007-06-23 19:34 <DIR> d--hs---- C:\FOUND.001
2007-06-23 19:12 122,900 --a------ C:\WINDOWS\system32\jcuwxskd.exe
2007-06-23 19:04 122,900 --a------ C:\WINDOWS\system32\fmrllwif.exe
2007-06-23 18:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-23 18:41 2,580 --a------ C:\WINDOWS\system32\lbooqnaj.exe
2007-06-23 18:36 4,628 --a------ C:\WINDOWS\system32\wepiiiel.exe
2007-06-23 18:36 122,900 --a------ C:\WINDOWS\system32\cmbjjixj.exe
2007-06-23 18:34 122,900 --a------ C:\WINDOWS\system32\rdmfjybt.exe
2007-06-23 18:34 <DIR> d-------- C:\DOCUME~1\jyoti\APPLIC~1\Yahoo!
2007-06-23 18:30 786,432 --ah----- C:\DOCUME~1\jyoti\NTUSER.DAT
2007-06-23 18:28 122,900 --a------ C:\WINDOWS\system32\psgllrvj.exe
2007-06-23 18:16 122,900 --a------ C:\WINDOWS\system32\xjujppcc.exe
2007-06-23 17:59 122,880 --a------ C:\WINDOWS\xmlhelper2.dll
2007-06-22 23:56 4,628 --a------ C:\WINDOWS\system32\nljbpcmk.exe
2007-06-19 10:13 122,880 --a------ C:\WINDOWS\xmlhelper.dll
2007-06-12 20:33 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-06-12 20:32 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-06-12 20:32 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-06-12 20:32 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-06-12 20:31 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-06-12 20:31 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-06-12 20:31 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-06-12 20:29 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-06-12 20:29 39,424 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-12 20:29 380,928 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-12 20:29 287,360 -ra------ C:\WINDOWS\system32\drivers\LV561AV.SYS
2007-06-12 20:29 217,088 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-06-12 20:29 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-12 20:29 2,112 -ra------ C:\WINDOWS\system32\Repository.reg
2007-06-12 20:29 110,592 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-06-12 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-12 19:55 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-11 23:20 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-11 23:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-11 23:20 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-11 20:40 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-11 20:37 <DIR> d-------- C:\Program Files\Nero
2007-06-11 18:53 <DIR> d-------- C:\anti-virus
2007-06-11 18:09 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-11 18:02 <DIR> d--hs---- C:\FOUND.000
2007-06-10 20:17 <DIR> d--hs---- C:\UWA7P
2007-06-10 18:21 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-10 18:21 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-10 18:21 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-10 18:21 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-10 18:21 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-10 18:21 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-10 18:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-10 18:09 <DIR> d-------- C:\Temp\x2b
2007-06-10 18:09 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll [2007-06-23 17:59]
{C4B71525-63DA-49E7-8298-49AA49AE9D93}=C:\Program Files\support.com\lawu.dll []
{E99F508C-DAC6-4020-B612-BE26FAADC64A}=C:\Program Files\Windows NT\holenusa.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12]


Contents of the 'Scheduled Tasks' folder
2007-06-24 07:00:02 C:\WINDOWS\tasks\At1.job

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wbswelht.dll
C:\WINDOWS\system32\mlwpniyt.dll
C:\WINDOWS\system32\rweyvjwp.dll
C:\WINDOWS\system32\nkpvvxjg.dll
C:\WINDOWS\system32\rhcubfeu.dll
C:\WINDOWS\system32\xpfqjlap.dll
C:\WINDOWS\system32\fktwynbx.dll
C:\WINDOWS\system32\kinkexar.dll
C:\WINDOWS\system32\jgkwsqjq.dll
C:\WINDOWS\system32\fvkaweqr.dll
C:\WINDOWS\system32\mlpbgsnu.dll
C:\WINDOWS\system32\qvhwwqfk.dll
C:\WINDOWS\system32\awhbreon.dll
C:\WINDOWS\system32\bcnpeorc.dll
C:\WINDOWS\system32\rdqupdpt.dll
C:\WINDOWS\system32\ggtcqekm.dll
C:\WINDOWS\system32\cljvwfnd.dll
C:\WINDOWS\system32\yfqrepnh.dll
C:\WINDOWS\system32\kopjvfhs.dll
C:\WINDOWS\system32\kjhhydgf.dll
C:\WINDOWS\system32\cbasdper.dll
C:\WINDOWS\system32\mcqtjfbj.dll
C:\WINDOWS\system32\loejbjjg.dll
C:\WINDOWS\system32\jifkaayl.dll
C:\WINDOWS\system32\thlewsbw.ini
C:\WINDOWS\system32\tyinpwlm.ini
C:\WINDOWS\system32\pwjvyewr.ini
C:\WINDOWS\system32\gjxvvpkn.ini
C:\WINDOWS\system32\uefbuchr.ini
C:\WINDOWS\system32\paljqfpx.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\raxeknik.ini
C:\WINDOWS\system32\unsgbplm.ini
C:\WINDOWS\system32\noerbhwa.ini
C:\WINDOWS\system32\croepncb.ini
C:\WINDOWS\system32\tpdpuqdr.ini
C:\WINDOWS\system32\mkeqctgg.ini
C:\WINDOWS\system32\dnfwvjlc.ini
C:\WINDOWS\system32\shfvjpok.ini
C:\WINDOWS\system32\fgdyhhjk.ini
C:\WINDOWS\system32\repdsabc.ini
C:\WINDOWS\system32\jbfjtqcm.ini
C:\WINDOWS\system32\gjjbjeol.ini
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\pmnllmn.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\SalesMonitor
C:\Program Files\Common Files\mantec~1
C:\Program Files\ipwindows
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\racle~1
C:\WINDOWS\rau001978.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\300NE26b.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\oipJlt6U.exe
C:\WINDOWS\system32\owinpndt.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\rdt3T0UL.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T7\wb22.exe
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At49.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At50.job
C:\WINDOWS\tasks\At51.job
C:\WINDOWS\tasks\At52.job
C:\WINDOWS\tasks\At53.job
C:\WINDOWS\tasks\At54.job
C:\WINDOWS\tasks\At55.job
C:\WINDOWS\tasks\At56.job
C:\WINDOWS\tasks\At57.job
C:\WINDOWS\tasks\At58.job
C:\WINDOWS\tasks\At59.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At60.job
C:\WINDOWS\tasks\At61.job
C:\WINDOWS\tasks\At62.job
C:\WINDOWS\tasks\At63.job
C:\WINDOWS\tasks\At64.job
C:\WINDOWS\tasks\At65.job
C:\WINDOWS\tasks\At66.job
C:\WINDOWS\tasks\At67.job
C:\WINDOWS\tasks\At68.job
C:\WINDOWS\tasks\At69.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At70.job
C:\WINDOWS\tasks\At71.job
C:\WINDOWS\tasks\At72.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-11 23:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll [2007-06-23 17:59]
{C4B71525-63DA-49E7-8298-49AA49AE9D93}=C:\Program Files\support.com\lawu.dll []
{E99F508C-DAC6-4020-B612-BE26FAADC64A}=C:\Program Files\Windows NT\holenusa.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12]


Contents of the 'Scheduled Tasks' folder
2007-06-24 07:00:02 C:\WINDOWS\tasks\At1.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 11:46:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 11:47:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 11:47

--- E O F ---
-----------------------------------------------------------------------------------------------------------------------------

BITDEFENDER LOG:

BitDefender Online Scanner



Scan report generated at: Sun, Jun 24, 2007 - 13:38:00





Scan path: A:\;C:\;D:\;E:\;







Statistics

Time
00:17:56

Files
34857

Folders
1266

Boot Sectors
5

Archives
383

Packed Files
1603




Results

Identified Viruses
20

Infected Files
85

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
85




Engines Info

Virus Definitions
571180

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\WINDOWS\system32\okmgodvn.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\okmgodvn.exe
Disinfection failed

C:\WINDOWS\system32\okmgodvn.exe
Deleted

C:\WINDOWS\system32\uvtalcky.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\uvtalcky.exe
Disinfection failed

C:\WINDOWS\system32\uvtalcky.exe
Deleted

C:\WINDOWS\system32\dlpyjhmq.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\dlpyjhmq.exe
Disinfection failed

C:\WINDOWS\system32\dlpyjhmq.exe
Deleted

C:\WINDOWS\system32\modsregl.exe
Infected with: Trojan.Dropper.Zeno.A

C:\WINDOWS\system32\modsregl.exe
Disinfection failed

C:\WINDOWS\system32\modsregl.exe
Deleted

C:\WINDOWS\system32\vedjjyer.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\vedjjyer.exe
Disinfection failed

C:\WINDOWS\system32\vedjjyer.exe
Deleted

C:\WINDOWS\system32\lsjvabbq.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\lsjvabbq.exe
Disinfection failed

C:\WINDOWS\system32\lsjvabbq.exe
Deleted

C:\WINDOWS\system32\jcuwxskd.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\jcuwxskd.exe
Disinfection failed

C:\WINDOWS\system32\jcuwxskd.exe
Deleted

C:\WINDOWS\system32\fmrllwif.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\fmrllwif.exe
Disinfection failed

C:\WINDOWS\system32\fmrllwif.exe
Deleted

C:\WINDOWS\system32\xjujppcc.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\xjujppcc.exe
Disinfection failed

C:\WINDOWS\system32\xjujppcc.exe
Deleted

C:\WINDOWS\system32\psgllrvj.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\psgllrvj.exe
Disinfection failed

C:\WINDOWS\system32\psgllrvj.exe
Deleted

C:\WINDOWS\system32\rdmfjybt.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\rdmfjybt.exe
Disinfection failed

C:\WINDOWS\system32\rdmfjybt.exe
Deleted

C:\WINDOWS\system32\cmbjjixj.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\cmbjjixj.exe
Disinfection failed

C:\WINDOWS\system32\cmbjjixj.exe
Deleted

C:\WINDOWS\system32\bnkccekm.exe
Infected with: Trojan.Fotomoto.A

C:\WINDOWS\system32\bnkccekm.exe
Disinfection failed

C:\WINDOWS\system32\bnkccekm.exe
Deleted

C:\WINDOWS\system32\lbooqnaj.exe
Infected with: Trojan.LowZones.SA

C:\WINDOWS\system32\lbooqnaj.exe
Disinfection failed

C:\WINDOWS\system32\lbooqnaj.exe
Deleted

C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
Disinfection failed

C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
Deleted

C:\WINDOWS\xmlhelper.dll
Infected with: Trojan.BHO.BT

C:\WINDOWS\xmlhelper.dll
Disinfection failed

C:\WINDOWS\xmlhelper.dll
Deleted

C:\WINDOWS\itpb_11.exe
Infected with: Trojan.Dropper.Zeno.A

C:\WINDOWS\itpb_11.exe
Disinfection failed

C:\WINDOWS\itpb_11.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP44\A0010022.DLL
Infected with: GenPack:Trojan.Vundo.DLZ

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP44\A0010022.DLL
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP44\A0010022.DLL
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010657.DLL
Infected with: Generic.Lineage.2259D555

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010657.DLL
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010657.DLL
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010676.exe
Infected with: Trojan.Fakealert.BX

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010676.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010676.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010680.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010680.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP46\A0010680.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013427.exe
Infected with: Dropped:Adware.TTC.B

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013427.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013427.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013430.dll
Infected with: Trojan.Dropper.Searchy.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013430.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013430.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013431.dll
Infected with: Trojan.Dropper.Searchy.C

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013431.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013431.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013432.dll
Infected with: Trojan.Dropper.Searchy.B

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013432.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013432.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013433.dll
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013433.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013434.dll
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013434.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013435.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013435.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013435.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013436.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013436.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013436.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013437.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013437.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013437.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013438.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013438.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013438.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013439.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013439.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013439.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013440.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013440.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013440.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013441.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013441.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013441.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013442.dll
Infected with: Trojan.Vundo.DLY

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013442.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013442.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013443.dll
Infected with: Trojan.Vundo.DLY

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013443.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013443.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013444.exe=>(NSIS o)=>lzma_solid_nsis0002
Infected with: Trojan.Rond.B

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013444.exe=>(NSIS o)=>lzma_solid_nsis0002
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013444.exe=>(NSIS o)=>lzma_solid_nsis0002
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013444.exe=>(NSIS o)
Update failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013446.exe
Infected with: Trojan.Dropper.Zeno.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013446.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013446.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013447.exe
Infected with: Trojan.Dropper.Zeno.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013447.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013447.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013483.dll
Infected with: Trojan.Dropper.Searchy.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013483.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013483.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013484.dll
Infected with: Trojan.Dropper.Searchy.C

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013484.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013484.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013485.dll
Infected with: Trojan.Dropper.Searchy.B

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013485.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013485.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013507.dll
Infected with: Trojan.Dropper.Searchy.C

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013507.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013507.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013508.dll
Infected with: Trojan.Dropper.Searchy.B

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013508.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013508.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013512.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013512.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013512.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013513.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013513.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013513.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013514.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013514.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013514.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013517.exe
Infected with: Trojan.Dropper.Zeno.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013517.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013517.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013518.dll
Infected with: Trojan.Dropper.Searchy.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013518.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013518.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013530.dll
Infected with: Trojan.BHO.AQ

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013530.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013530.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013531.dll
Infected with: Trojan.BHO.AR

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013531.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013531.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013533.dll
Infected with: Trojan.BHO.AR

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013533.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013533.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013539.dll
Infected with: Trojan.BHO.AR

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013539.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013539.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013566.SYS
Infected with: Rootkit.Agent.EV

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013566.SYS
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013566.SYS
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013567.dll
Infected with: Trojan.Vundo.DLY

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013567.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013567.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013568.dll
Infected with: Trojan.Vundo.DMA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013568.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013568.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013598.exe
Infected with: Trojan.Dropper.Zeno.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013598.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013598.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013664.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013664.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013664.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013665.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013665.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013665.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013666.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013666.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013666.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013667.exe
Infected with: Trojan.Dropper.Zeno.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013667.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013667.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013668.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013668.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013668.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013669.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013669.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013669.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013670.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013670.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013670.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013671.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013671.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013671.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013672.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013672.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013672.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013673.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013673.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013673.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013674.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013674.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013674.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013675.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013675.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013675.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013676.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013676.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013676.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013677.exe
Infected with: Trojan.LowZones.SA

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013677.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013677.exe
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013678.dll
Infected with: Trojan.BHO.BT

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013678.dll
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013678.dll
Deleted

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013679.exe
Infected with: Trojan.Dropper.Zeno.A

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013679.exe
Disinfection failed

C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP52\A0013679.exe
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\oipJlt6U.exe.vir
Infected with: BehavesLike:Win32.ExplorerHijack

C:\QooBox\Quarantine\C\WINDOWS\system32\oipJlt6U.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\oipJlt6U.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\300NE26b.exe.vir
Infected with: BehavesLike:Win32.ExplorerHijack

C:\QooBox\Quarantine\C\WINDOWS\system32\300NE26b.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\300NE26b.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\rdt3T0UL.exe.vir
Infected with: BehavesLike:Win32.ExplorerHijack

C:\QooBox\Quarantine\C\WINDOWS\system32\rdt3T0UL.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\rdt3T0UL.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsregt.exe.vir
Infected with: Trojan.Dropper.Zeno.A

C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsregt.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsregt.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
Infected with: Rootkit.Agent.EV

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\jgkwsqjq.dll.vir
Infected with: Trojan.BHO.AQ

C:\QooBox\Quarantine\C\WINDOWS\system32\jgkwsqjq.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\jgkwsqjq.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\fvkaweqr.dll.vir
Infected with: Trojan.BHO.AR

C:\QooBox\Quarantine\C\WINDOWS\system32\fvkaweqr.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\fvkaweqr.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\qvhwwqfk.dll.vir
Infected with: Trojan.BHO.AR

C:\QooBox\Quarantine\C\WINDOWS\system32\qvhwwqfk.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\qvhwwqfk.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\yfqrepnh.dll.vir
Infected with: Trojan.BHO.AR

C:\QooBox\Quarantine\C\WINDOWS\system32\yfqrepnh.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\yfqrepnh.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\jkhfd.dll.vir
Infected with: Trojan.Vundo.DLY

C:\QooBox\Quarantine\C\WINDOWS\system32\jkhfd.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\jkhfd.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\pmnllmn.dll.vir
Infected with: Trojan.Vundo.DMA

C:\QooBox\Quarantine\C\WINDOWS\system32\pmnllmn.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\pmnllmn.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\cfg32r.dll.vir
Infected with: Trojan.Dropper.Searchy.A

C:\QooBox\Quarantine\C\WINDOWS\cfg32r.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\cfg32r.dll.vir
Deleted

------------------------------------------------------------------------------------------------

AVG ANtispyware log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:15:19 PM 6/24/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\T4\amst5.exe.vir -> Dropper.Agent.bfr : Cleaned.
C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP50\A0013515.exe -> Dropper.Agent.bfr : Cleaned.
C:\System Volume Information\_restore{87B7A7CF-A903-486F-8A0E-674FB3E0C2BF}\RP47\A0010756.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@trafficmp[3].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\jyoti\Cookies\jyoti@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

-------------------------------------------------------------------------------------------------------------------------------------------------------
[b]
Hijackthis log:



Logfile of HijackThis v1.99.1
Scan saved at 6:37:55 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.k8l.info/media/servlet/view/dyn...TTC=6&GNW=0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O2 - BHO: 0 - {C4B71525-63DA-49E7-8298-49AA49AE9D93} - C:\Program Files\support.com\lawu.dll (file missing)
O2 - BHO: (no name) - {E99F508C-DAC6-4020-B612-BE26FAADC64A} - C:\Program Files\Windows NT\holenusa.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

---------------------------------------------------------------------------

Regards,
Vijay

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 24 June 2007 - 07:18 PM

Hi Vijay,

Your computer had quite a collection of malware on it. You still are not clean.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.k8l.info/media/servlet/view/dyn...TTC=6&GNW=0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O2 - BHO: 0 - {C4B71525-63DA-49E7-8298-49AA49AE9D93} - C:\Program Files\support.com\lawu.dll (file missing)
O2 - BHO: (no name) - {E99F508C-DAC6-4020-B612-BE26FAADC64A} - C:\Program Files\Windows NT\holenusa.dll (file missing)


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\xmlhelper2.dll <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to your computer.

Run ComboFix and post the ComboFix log , a fresh Hijackthis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 vjaybm

vjaybm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 24 June 2007 - 08:04 PM

Hi SifuMike,

The machine is working pretty good now. Here are the log files:

"jyoti" - 2007-06-24 20:56:36 - ComboFix 07-06-23.5 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-24 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-24 20:38 <DIR> d-------- C:\Program Files\CCleaner
2007-06-24 13:48 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-24 13:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-24 13:13 <DIR> d---s---- C:\DOCUME~1\jyoti\UserData
2007-06-24 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-24 11:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 11:14 916 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-24 10:57 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-24 10:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-24 10:57 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-24 10:57 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-24 10:56 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-24 10:56 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-24 10:56 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-24 10:56 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-23 19:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 19:34 <DIR> d--hs---- C:\FOUND.001
2007-06-23 18:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-23 18:36 4,628 --a------ C:\WINDOWS\system32\wepiiiel.exe
2007-06-23 18:34 <DIR> d-------- C:\DOCUME~1\jyoti\APPLIC~1\Yahoo!
2007-06-23 18:30 786,432 --ah----- C:\DOCUME~1\jyoti\NTUSER.DAT
2007-06-22 23:56 4,628 --a------ C:\WINDOWS\system32\nljbpcmk.exe
2007-06-12 20:33 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-06-12 20:32 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-06-12 20:32 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-06-12 20:32 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-06-12 20:31 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-06-12 20:31 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-06-12 20:31 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-06-12 20:29 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-06-12 20:29 39,424 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-12 20:29 380,928 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-12 20:29 287,360 -ra------ C:\WINDOWS\system32\drivers\LV561AV.SYS
2007-06-12 20:29 217,088 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-06-12 20:29 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-12 20:29 2,112 -ra------ C:\WINDOWS\system32\Repository.reg
2007-06-12 20:29 110,592 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-06-12 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-12 19:55 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-11 23:20 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-11 23:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-11 23:20 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-11 20:40 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-11 20:37 <DIR> d-------- C:\Program Files\Nero
2007-06-11 18:53 <DIR> d-------- C:\anti-virus
2007-06-11 18:09 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-11 18:02 <DIR> d--hs---- C:\FOUND.000
2007-06-10 20:17 <DIR> d--hs---- C:\UWA7P
2007-06-10 18:21 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-10 18:21 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-10 18:21 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-10 18:21 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-10 18:21 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-10 18:21 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-10 18:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-10 18:09 <DIR> d-------- C:\Temp\x2b
2007-06-10 18:09 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-06-24 07:00:02 C:\WINDOWS\tasks\At1.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 20:58:14
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

cmd.exe [3032]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 21:00:08
C:\ComboFix-quarantined-files.txt ... 2007-06-24 20:59
C:\ComboFix2.txt ... 2007-06-24 11:47

--- E O F ---
-----------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:02:28 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Regards,
Vijay

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 24 June 2007 - 09:15 PM

Hi Vijay,

We have some more files and folders to delete.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following by double-clicking on the following entry (if it exists):
WinAntiVirus Pro 2007

Reboot your computer.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)


C:\WINDOWS\system32\wepiiiel.exe <== file
C:\WINDOWS\system32\nljbpcmk.exe <== file
C:\Program Files\Common Files\WinAntiVirus Pro 2007\ <== folder
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\ <== foldere

Run ComboFix and post the ComboFix log for a final check. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 vjaybm

vjaybm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 24 June 2007 - 11:05 PM

Hi SifuMike,

Can you also kindly advise me which Anti-virus should I use in my machine? And should I retain the anti-spyware also?

Here's the log file:

"jyoti" - 2007-06-24 23:53:49 - ComboFix 07-06-23.5 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-24 21:12 <DIR> d-------- C:\DOCUME~1\jyoti\APPLIC~1\Ahead
2007-06-24 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-24 20:38 <DIR> d-------- C:\Program Files\CCleaner
2007-06-24 13:48 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-24 13:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-24 13:13 <DIR> d---s---- C:\DOCUME~1\jyoti\UserData
2007-06-24 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-24 11:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 11:14 916 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-24 10:57 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-24 10:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-24 10:57 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-24 10:57 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-24 10:56 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-24 10:56 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-24 10:56 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-24 10:56 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-23 19:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 19:34 <DIR> d--hs---- C:\FOUND.001
2007-06-23 18:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-23 18:34 <DIR> d-------- C:\DOCUME~1\jyoti\APPLIC~1\Yahoo!
2007-06-23 18:30 1,048,576 --ah----- C:\DOCUME~1\jyoti\NTUSER.DAT
2007-06-12 20:33 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-06-12 20:32 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-06-12 20:32 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-06-12 20:32 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-06-12 20:31 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-06-12 20:31 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-06-12 20:31 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-06-12 20:29 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-06-12 20:29 39,424 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-12 20:29 380,928 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-12 20:29 287,360 -ra------ C:\WINDOWS\system32\drivers\LV561AV.SYS
2007-06-12 20:29 217,088 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-06-12 20:29 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-12 20:29 2,112 -ra------ C:\WINDOWS\system32\Repository.reg
2007-06-12 20:29 110,592 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-06-12 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-12 19:55 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-11 23:20 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-11 23:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-11 23:20 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-06-11 20:40 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-11 20:37 <DIR> d-------- C:\Program Files\Nero
2007-06-11 18:53 <DIR> d-------- C:\anti-virus
2007-06-11 18:09 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-11 18:02 <DIR> d--hs---- C:\FOUND.000
2007-06-10 20:17 <DIR> d--hs---- C:\UWA7P
2007-06-10 18:21 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-10 18:21 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-10 18:21 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-10 18:21 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-10 18:21 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-10 18:09 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-10 18:09 <DIR> d-------- C:\Temp\x2b
2007-06-10 18:09 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-06-24 07:00:02 C:\WINDOWS\tasks\At1.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 23:55:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 23:57:08
C:\ComboFix-quarantined-files.txt ... 2007-06-24 23:56
C:\ComboFix3.txt ... 2007-06-24 11:47
C:\ComboFix2.txt ... 2007-06-24 21:00

--- E O F ---
-------------------------------------------------------------------------------------------------------------

Regards,
Vijay

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 24 June 2007 - 11:18 PM

Hi Vijay,


Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.

Can you also kindly advise me which Anti-virus should I use in my machine? And should I retain the anti-spyware also?


I assume you want a free antivirus. All of these are antivirus are very good: Avast, Antivir, and AVG. Remember.. only one antivirus program should be running on your computer.

If you want to pay for an antvirus program please tell me.

For free antispyware, the free AVG antispyware is very good, as is the free A-squared, and AdAware 2007

Please read and follow How did I get infected?, With steps so it does not happen again!

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, ZoneAlarm, or Outpost
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 28 June 2007 - 10:26 AM

Hi Vijay,

Sorry to be like Columbo, but just more thing. :thumbsup:

Do you still have this folder C:\Qoobox\quarantine\?

If so, then please post the contents of it, as I need to check it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 vjaybm

vjaybm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 01 July 2007 - 08:59 PM

Hi,

Nn, there is no folder with that name.

My PC is runniing great. Thanks for all the help!

Regards,
Vijay

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 01 July 2007 - 09:01 PM

Ok, I was just checking to see that it is gone. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:44 PM

Posted 08 July 2007 - 04:31 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users