Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have Alot Of Viruses?


  • This topic is locked This topic is locked
26 replies to this topic

#1 BlackWaltz

BlackWaltz

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 14 July 2007 - 02:30 AM

I should have smitfraud and alot of other things.. so yeah..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:04 AM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\f040a43a7788e207ef67f26bf9f0471f\update\update.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\xjnrdsqj.dll",forkonce
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpuz.dll,startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Charles\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c3/v15.244/qboax8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/bin/cursorcafe.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cddcsfyg.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://us.a1.yahoofs.com/users/4255c92azbc...hIOVgDBQMf3AWY0

--
End of file - 6446 bytes

BC AdBot (Login to Remove)

 


#2 BlackWaltz

BlackWaltz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 14 July 2007 - 02:47 AM

I tried deleteing some things... Like Avast. That won't delete.. other things such as...
smithfraud-c is there.
Outerinfo
and a bunch of other things too.

I even checked my ping in a non-laggy area of a game and it was 1300 while the norm is 80 or something.

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 AM

Posted 14 July 2007 - 06:27 AM

Hello BlackWaltz, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 AM

Posted 14 July 2007 - 07:09 AM

Hello there.
________________________________________________________________________________
IMPORTANT
I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (real-time) protection switched on, then those products which do not encrypt the virus strings within them can cause other antivirus products to cause false alarms. It can also lead to a clash as both products fight for access to files which are opened again: this is the resident/automatic protection. In general terms, the programs may conflict and cause:
- False Alarms - When the antivirus software tells you that your PC has a virus when it actually doesn't.
- System Performance Problems - Your system may lock up due to both software products attempting to access the same file at the same time.

Therefore please go to Start > Control Panel > Add/Remove Programs and remove either your avast! Antivirus or the eTrust EZ Antivirus.
I personally recommend removing avast! and keeping eTrust as the eTrust Internet Security Suite which is installed offers a powerful set of tools to thwart all kinds of online mayhem. If you want to uninstall avast! and still have trouble removing it, please let me know.

IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your eTrust's firewall (which comes with the eTrust Internet Security Suite), please re-enable it.
Alternatively--if you do not want to use the eTrust Personal Firewall--, please install one of these good (and free) products (and make sure eTrust's firewall is set to disabled):
- ZoneAlarm
- Comodo Free Firewall
- Outpost Firewall Free
- Sunbelt Personal Firewall (= Kerio) - learn more here

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: Generate an uninstall list
We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs.
5. Click on the Save list... button and specify where you would like to save the uninstall list.
6. Click Save.
Notepad will open up with the contents of that file.
7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic.

Step #2: Rename HijackThis
Occasionally malware hides itself from HijackThis. Navigate to C:\Program Files\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file. Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter.

Step #3: Re-scan with HijackThis
Scan with HijackThis (fluffybunny.exe) again and post a new HijackThis log.
________________________________________________________________________________
So in your next reply, please post the entire contents of:
- the created uninstall list (uninstall_list.txt)
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 BlackWaltz

BlackWaltz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 15 July 2007 - 01:17 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:04 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\Fluffybunny.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A394684-D069-8CEB-1C14-888DBB2781C1} - C:\WINDOWS\system32\obmits.dll
O2 - BHO: (no name) - {43A6E052-0D1F-4877-8022-A3F17D0D8D5B} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B3F10D0-863B-DFBD-1C14-888DBB26D2C6} - C:\WINDOWS\system32\iea.dll
O2 - BHO: (no name) - {6F681586-D76B-DDED-1214-888DBB26D3C4} - C:\WINDOWS\system32\onvb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {890CFBF0-10D5-43D3-ABFD-206F7C4A2699} - C:\WINDOWS\system32\wvuttrp.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\pjicmxwb.dll
O2 - BHO: (no name) - {EB9F03A2-9346-4903-A539-8AC72812C9B7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\fikjrpfj.dll",forkonce
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win18.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvlad.dll,startup
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl13] C:\WINDOWS\system32\clcl13.exe
O4 - HKLM\..\RunOnce: [clcl] command.com /c del C:\WINDOWS\system32\clcl.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Tnwr] "C:\PROGRA~1\COMMON~1\FNTS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Hztco] "C:\Documents and Settings\Charles\My Documents\?ppPatch\n?lookup.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Charles\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c3/v15.244/qboax8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/bin/cursorcafe.cab
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O20 - Winlogon Notify: khfdbax - khfdbax.dll (file missing)
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll
O20 - Winlogon Notify: wvuttrp - C:\WINDOWS\SYSTEM32\wvuttrp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cddcsfyg.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://us.a1.yahoofs.com/users/4255c92azbc...hIOVgDBQMf3AWY0

--
End of file - 7080 bytes


Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
AIM Invader Pro 1.1.891
AOL Instant Messenger
AVG Anti-Spyware 7.5
BitLord 1.1
CA Anti-Virus
CAM-IN SUITE III
CCleaner (remove only)
Dofus 1.19.0
HijackThis 2.0.2
HP Memories Disc
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 11
Korean Language Support
LimeWire 4.9.37
Macromedia Shockwave Player
MGI PhotoSuite 4 (Remove Only)
MGI VideoWave 4
Microsoft Office Standard Edition 2003
mIRC
Mozilla Firefox (1.5.0.11)
MSXML 4.0 SP2 (KB927978)
Outerinfo
Panda ActiveScan
QuickTime
RealPlayer
Realtek AC'97 Audio
Spybot - Search & Destroy 1.4
Vector Graphics ActiveX
Ventrilo Client
VideoLAN VLC media player 0.8.5
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 AM

Posted 16 July 2007 - 08:22 AM

The HijackThis log you posted was created in Safe Mode (with network support). When a HijackThis log is made in Safe Mode, it may not show everything. If not mentioned otherwise, it is best to perform my instructions in normal mode as some options could not be performed when in Safe Mode.
Please reboot your computer to boot back into NORMAL MODE, and post a new HijackThis log. Please perform the instructions I give you in my next replies in normal mode, unless I tell you to do otherwise.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 BlackWaltz

BlackWaltz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 17 July 2007 - 03:01 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:13 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\svehost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Fluffybunny.exe.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A394684-D069-8CEB-1C14-888DBB2781C1} - C:\WINDOWS\system32\obmits.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B3F10D0-863B-DFBD-1C14-888DBB26D2C6} - C:\WINDOWS\system32\iea.dll
O2 - BHO: (no name) - {6F681586-D76B-DDED-1214-888DBB26D3C4} - C:\WINDOWS\system32\onvb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {869F549C-305E-40E2-BFC1-DBD118092579} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: (no name) - {890CFBF0-10D5-43D3-ABFD-206F7C4A2699} - C:\WINDOWS\system32\wvuttrp.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\dlgferif.dll
O2 - BHO: (no name) - {EB9F03A2-9346-4903-A539-8AC72812C9B7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvlad.dll,startup
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl13] C:\WINDOWS\system32\clcl13.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\vlvhgtor.dll",forkonce
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Tnwr] "C:\PROGRA~1\COMMON~1\FNTS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Hztco] "C:\Documents and Settings\Charles\My Documents\?ppPatch\n?lookup.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Charles\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c3/v15.244/qboax8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/bin/cursorcafe.cab
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O20 - Winlogon Notify: khfdbax - khfdbax.dll (file missing)
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll
O20 - Winlogon Notify: wvuttrp - C:\WINDOWS\SYSTEM32\wvuttrp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cddcsfyg.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://us.a1.yahoofs.com/users/4255c92azbc...hIOVgDBQMf3AWY0

--
End of file - 7837 bytes

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 AM

Posted 18 July 2007 - 03:27 AM

Hello again, BlackWaltz.

Thanks for the logs. :thumbsup:

Question: Do you actually have the entire eTrust Internet Security Suite? Or do you only have CA's antivirus program: CA Anti-Virus?
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log still doesn't show a firewall running. If you have disabled your firewall, please re-enable it.
If you do not have a firewall installed, please download and install one of these good (and free) products:
- ZoneAlarm
- Comodo Free Firewall
- Outpost Firewall Free
- Sunbelt Personal Firewall (= Kerio) - learn more here

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.
________________________________________________________________________________
IMPORTANT
You are infected with (a) stealth involved backdoor trojan(s). Backdoor trojans are software programs that give an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. Backdoor trojan functionality allows unauthorised remote access to the infected computer while running in the background. A backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.
In short: These pieces of malware allow hackers to remotely control your computer, steal critical system information and download and execute files.

Due to the status of some of the files you have on your computer, I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the Internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable--for email, banks, eBay, forums, etc. Do not change passwords or do any financial transactions while using the infected computer because the attacker may get the new passwords and transaction information. It would be wise to contact your financial institutions to apprise them of your situation. To protect your information that may have been compromised, I recommend reading this reference: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?.


Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


You most likely got infected through file sharing. I see some P2P/File Sharing (related) programs installed on your computer: BitLord 1.1 and LimeWire 4.9.37. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of P2P application, you are more prone to infection.
I suggest to remove these programs. If you agree, go to Start > Control Panel > Add/Remove Programs and uninstall the following programs (if they are listed):
BitLord 1.1
LimeWire 4.9.37
If you do not want to uninstall (some of) these programs, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #1: Temporarily disable AVG Anti-Spyware's Resident Shield
You have AVG Anti-Spyware 7.5 running on your machine and that is good. However, AVG Anti-Spyware's Resident Shield can interfere with the changes you will make on your system, so please follow these instructions to temporarily disable AVG Anti-Spyware's Resident Shield:
1. Launch AVG Anti-Spyware by double-clicking the program's icon on your Desktop or in the system tray.
2. The main Status menu will appear. Select the Change state option to inactivate AVG AS's Resident Shield and Automatic Updates.
3. Right-click on the AVG Anti-Spyware icon in the system tray and uncheck the option labelled "Start with Windows".
4. Go to Start > Run.
5. In the Open: field type services.msc and press the OK button.
6. When the WinXP Services utility starts up, click the Extended tab on the bottom and scroll down the list to find the AVG Anti-Spyware Guard service.
7. When you find the service, double-click on it.
8. In the Properties window > General tab that opens, click the Stop button.
9. From the drop-down menu next to Startup type:, click on Manual.
10. Now click the Apply button, followed by clicking the OK button.
11. Close the Services window.
12. Reboot your computer.

Step #2: Uninstall bad and rogue/suspect programs
Go to Start > Control Panel > Add/Remove Programs and uninstall the following program (if it is listed):
Outerinfo <-- adware, see: Adware.PurityScan

I see Viewpoint installed. Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. This will change from what we know in 2006. For more information about this, see this reference: Viewpoint to Plunge Into Adware. Additional information here: Viewpoint.
I strongly recommend removing Viewpoint. If you agree, go to Start > Control Panel > Add/Remove Programs and remove the following entries if present:
Viewpoint Manager
Viewpoint Media Player

Step #3: Update Java SE Runtime Environment (JRE)
Your Java is out of date. Older versions have vulnerabilities that malware can and are using to infect systems. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
Please follow these steps to remove older version Java components:
1. Close all programs--especially your web browser--so that you have nothing open and are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and remove J2SE Runtime Environment 5.0 Update 11.
3. Once all Java components are removed, reboot your computer.

Once rebooted, download and install the latest version of Java Runtime Environment (JRE) 6u2 by following these steps:
1. Go to http://java.sun.com/javase/downloads/index.jsp.
2. Scroll down to where it says "Java Runtime Environment (JRE) 6u2 … The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
3. Click the Download button to the right.
4. Review the License Agreement and then select the radio button labelled "Accept License Agreement".
The page will refresh.
5. Click on the link to download the Windows Offline Installation and save the file to your Desktop.
6. From your Desktop, double-click the jre-6u2-windows-i586-p.exe file to install the newest version.

Step #4: Download and run SDFix
Download SDFix by clicking the download link below and save it to your Desktop.
Download SDFix (SDFix.exe)

Once downloaded, double-click SDFix.exe and it will extract the files to %systemdrive%, the drive that contains the Windows directory (typically C:\SDFix). Do NOT use SDFix yet.

Reboot your computer into SAFE MODE. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.


When in Safe Mode, please follow these steps:
1. Open the SDFix folder and double-click RunThis.bat to start the script.
2. Type Y to begin the cleanup process.
SDFix will remove any trojan services or registry entries that it finds and prompt you to press any key to reboot.
3. Press any key and it will restart the PC.
When the PC restarts, the fixtool will run again and complete the removal process.
4. When it then displays "Finished!", press any key to end the script and load your Desktop icons.
Once the Desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to the clipboard ready for posting back on the forum.)
5. Please copy and paste the entire contents of the results file (Report.txt) in your next reply.

Step #5: Download and run VundoFix to get rid of Vundo
You have a Vundo infection. Download VundoFix.exe to your Desktop to get rid of it.
Download VundoFix.exe

Once downloaded, follow these steps to run VundoFix:
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer. Click OK.
6. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting.

Step #6: Re-scan with HijackThis
Scan with HijackThis (Fluffybunny) again and post a new HijackThis log.
________________________________________________________________________________
So in your next reply, please post the entire contents of:
- the SDFix report (Report.txt)
- C:\vundofix.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 BlackWaltz

BlackWaltz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 21 July 2007 - 02:17 AM

You said for SDFix that I must press 'Y'. Though that isn't an option... it just exits out of the application..
Also, I downloaded ZoneAlarm and it keeps crashing and makeing the computer not run as well as before. (Which wasn't great).

After these two are fixed then I can run Hijack This. Thank you!

#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 AM

Posted 22 July 2007 - 05:52 AM

Hello again BlackWaltz, and sorry for the little delay.

You said for SDFix that I must press 'Y'. Though that isn't an option... it just exits out of the application..
[...]

Did you run SDFix in Safe Mode as instructed to? The tool must be run in Safe Mode. Only in Safe Mode, the option to press Y to begin the cleanup process is available. Please give it another try.

Also, I downloaded ZoneAlarm and it keeps crashing and makeing the computer not run as well as before. (Which wasn't great).

[...]

I did a bit of research, and as far as I know, ZoneAlarm just doesn't work properly on some systems. This is a known fact. (I have never had any problems with it, though.) When experiencing problems with the firewall program, you might want to uninstall ZoneAlarm (by going to Start > Control Panel > Add/Remove Programs) and replace it with another alternative (see my previous post).
I don't know what firewalls you have installed in the meantime, but please also make sure that you do not have more than one firewall program installed and running on your system as having more than one active can cause conflicts like these too. Do you actually have the entire eTrust Internet Security Suite installed?

Edited by htv8, 22 July 2007 - 05:52 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#11 BlackWaltz

BlackWaltz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 23 July 2007 - 11:40 PM

SDFix: Version 1.92

Run by Charles on Tue 07/24/2007 at 12:11 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Charles\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
core
runtime
runtime2
Windows Overlay Components

ImagePath:
system32\drivers\core.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
\SystemRoot\system32\drivers\runtime2.sys
C:\WINDOWS\mztpnqu.exe

core - Deleted
runtime2 - Deleted
Windows Overlay Components - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\Temp\win1368.tmp.exe - Deleted
C:\WINDOWS\Temp\win1368.tmp.exe - Deleted
C:\Program Files\InetGet2\popinstall.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\poolsv.exe - Deleted
C:\WINDOWS\retadpu1000106.exe - Deleted
C:\WINDOWS\retadpu77.exe - Deleted
C:\WINDOWS\svhost.exe - Deleted
C:\WINDOWS\system32\6_exception.nls - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\dwdsregt.exe - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\ipv6mons.dll - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\svehost.exe - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted


Folder C:\Program Files\InetGet2 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1139693157\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1139693157\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1139693157\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1139693157\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1139705602\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1139705602\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1139705602\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1139705602\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:GunzLauncher"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\ARES\\Ares.exe"="C:\\Program Files\\ARES\\Ares.exe:*:Enabled:Ares Lite"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Black Isle\\Lionheart\\Lionheart.exe"="C:\\Program Files\\Black Isle\\Lionheart\\Lionheart.exe:*:Enabled:Lionheart"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Warcraft III\\ftinst.tmp\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\ftinst.tmp\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\SurvivalProject\\sp.exe"="C:\\Program Files\\SurvivalProject\\sp.exe:*:Enabled:sp"
"C:\\Documents and Settings\\Charles\\Desktop\\pol_6.2\\Pokemon Online.exe"="C:\\Documents and Settings\\Charles\\Desktop\\pol_6.2\\Pokemon Online.exe:*:Enabled:Multimedia Fusion Stand Alone Application"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\DOCUME~1\\Charles\\LOCALS~1\\Temp\\win116.tmp.exe"="C:\\DOCUME~1\\Charles\\LOCALS~1\\Temp\\win116.tmp.exe:*:Enabled:win116.tmp"
"C:\\WINDOWS\\system32\\cddcsfyg.exe"="C:\\WINDOWS\\system32\\cdd"
"C:\\Program Files\\Warcraft III\\War3.exe"="C:\\Program Files\\Warcraft III\\War3.exe:*:Enabled:Warcraft III"
"C:\\WINDOWS\\TEMP\\win2E.tmp.exe"="C:\\WINDOWS\\TEMP\\win2E.tmp.exe:*:Enabled:win2E.tmp"
"C:\\WINDOWS\\TEMP\\win1B28.tmp.exe"="C:\\WINDOWS\\TEMP\\win1B28.tmp.exe:*:Enabled:win1B28.tmp"
"C:\\WINDOWS\\TEMP\\winBC.tmp.exe"="C:\\WINDOWS\\TEMP\\winBC.tmp.exe:*:Enabled:winBC.tmp"
"C:\\WINDOWS\\TEMP\\win1B.tmp.exe"="C:\\WINDOWS\\TEMP\\win1B.tmp.exe:*:Enabled:win1B.tmp"
"C:\\WINDOWS\\TEMP\\win19.tmp.exe"="C:\\WINDOWS\\TEMP\\win19.tmp.exe:*:Enabled:win19.tmp"
"C:\\WINDOWS\\TEMP\\win45.tmp.exe"="C:\\WINDOWS\\TEMP\\win45.tmp.exe:*:Enabled:win45.tmp"
"C:\\WINDOWS\\TEMP\\win1502.tmp.exe"="C:\\WINDOWS\\TEMP\\win1502.tmp.exe:*:Enabled:win1502.tmp"
"C:\\WINDOWS\\TEMP\\win13.tmp.exe"="C:\\WINDOWS\\TEMP\\win13.tmp.exe:*:Enabled:win13.tmp"
"C:\\WINDOWS\\TEMP\\win23A.tmp.exe"="C:\\WINDOWS\\TEMP\\win23A.tmp.exe:*:Enabled:win23A.tmp"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Charles\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Charles\Application Data\s?mbols\javaw.exe
C:\Documents and Settings\Charles\My Documents\?ppPatch\n?lookup.exe
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Common Files\?icrosoft.NET\?vchost.exe
C:\WINDOWS\mztpnquA.exe
C:\WINDOWS\APPATC~1\chkdsk.exe
C:\WINDOWS\system32\W?nSxS\l?ass.exe
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:37 AM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\mztpnquA.exe
C:\DOCUME~1\Charles\APPLIC~1\SMBOLS~1\javaw.exe
C:\Program Files\Common Files\?icrosoft.NET\?vchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Trend Micro\HijackThis\Fluffybunny.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A394684-D069-8CEB-1C14-888DBB2781C1} - C:\WINDOWS\system32\obmits.dll
O2 - BHO: (no name) - {3c94f2c4-f395-49d3-ad6b-08e9eb1013e0} - C:\WINDOWS\system32\tqkydeg.dll
O2 - BHO: (no name) - {3F641F80-D66D-86BD-1814-888DBB27D591} - C:\WINDOWS\system32\qjna.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B3F10D0-863B-DFBD-1C14-888DBB26D2C6} - C:\WINDOWS\system32\iea.dll
O2 - BHO: (no name) - {6F681586-D76B-DDED-1214-888DBB26D3C4} - C:\WINDOWS\system32\onvb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\wfwiaaro.dll
O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\wvusqqn.dll
O2 - BHO: (no name) - {B8CDE9BD-E15B-49D7-909F-9C0374FEB300} - C:\WINDOWS\system32\awtsr.dll
O2 - BHO: (no name) - {ECA0D0B1-5FFE-412C-ABB3-ED49325C8512} - (no file)
O2 - BHO: (no name) - {F3C27A18-C7F7-4987-9979-735FC3DB02DD} - C:\Program Files\Common Files\holem83122.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [mztpnquA] C:\WINDOWS\mztpnquA.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Ieot] "C:\DOCUME~1\Charles\APPLIC~1\SMBOLS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Xgbkua] "C:\Program Files\Common Files\?icrosoft.NET\?vchost.exe"
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Charles\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c3/v15.244/qboax8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/bin/cursorcafe.cab
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll
O20 - Winlogon Notify: khfdbax - khfdbax.dll (file missing)
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll
O20 - Winlogon Notify: wvusqqn - C:\WINDOWS\SYSTEM32\wvusqqn.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cddcsfyg.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://us.a1.yahoofs.com/users/4255c92azbc...hIOVgDBQMf3AWY0

--
End of file - 6081 bytes














I can't remove the Zone Alarm without the comp resetting itself.

#12 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 AM

Posted 25 July 2007 - 07:14 PM

Hello again, and sorry for the little delay.

I can't remove the ZoneAlarm without the comp resetting itself.

What exactly do you mean? Do you have to reboot the machine? Does your computer hang when you try to remove ZoneAlarm? Have you removed it, or is it still present on your PC? Thanks for clarifying. :thumbsup:

Question #1: Have you temporarily disabled AVG Anti-Spyware's Resident Shield as instructed to in Post #8. If you haven't, please disable the AVG Anti-Spyware Resident Shield now before proceeding by following the instructions I gave you in that post. If you experience any problems or just have general questions, just ask.

Question #1: Have you disabled your antivirus and firewall?
________________________________________________________________________________
Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: Download and run VundoFix to get rid of Vundo
You have a Vundo infection. Download VundoFix.exe to your Desktop to get rid of it.
Download VundoFix.exe

Once downloaded, follow these steps to run VundoFix:
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer. Click OK.
6. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting.

Step #2: Download and run ComboFix
Please download ComboFix and save it to your Desktop.
Download ComboFix (ComboFix.exe)

When the file has finished downloading, double-click ComboFix.exe to launch the application and follow the on-screen prompts.
When finished, it shall produce a log for you: ComboFix.txt. Post that log in your next reply.

NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!

Step #3: Scan for Smitfraud with SmitfraudFix
In your first post, you said you likely have a Smitfraud infection. Please download SmitfraudFix by S!Ri.
Download SmitfraudFix (SmitfraudFix.exe)

Once downloaded, double-click SmitfraudFix.exe to run SmitfraudFix.
Select option #1 - Search by typing 1 and press Enter; a text file will appear which lists infected files (if present).
Please copy/paste the entire contents of that report into your next reply.

NOTE: Process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
________________________________________________________________________________
So in your next reply, please post the entire contents of:
- C:\vundofix.txt
- ComboFix.txt
- the SmitfraudFix report
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#13 BlackWaltz

BlackWaltz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 26 July 2007 - 12:34 AM

"Char" - 2007-07-26 1:14:10 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\efcbaax.dll
C:\WINDOWS\system32\hggedaa.dll
C:\WINDOWS\system32\mljgeed.dll
C:\WINDOWS\system32\yayaxxw.dll
C:\WINDOWS\system32\efcbaax.dll
C:\WINDOWS\system32\hggedaa.dll
C:\WINDOWS\system32\mljgeed.dll
C:\WINDOWS\system32\yayaxxw.dll
C:\WINDOWS\system32\winosz32.dll
C:\WINDOWS\system32\wvusqqn.dll
C:\WINDOWS\system32\wvusqqn.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\a.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Charles\APPLIC~1.\pppatc~1
C:\DOCUME~1\Charles\APPLIC~1.\smbols~1
C:\DOCUME~1\Charles\APPLIC~1.\smbols~1\javaw.exe
C:\DOCUME~1\Charles\APPLIC~1\Install.dat
C:\DOCUME~1\Charles\MYDOCU~1.\pppatc~1
C:\DOCUME~1\Charles\MYDOCU~1.\pppatc~1\n?lookup.exe
C:\DOCUME~1\Charles\MYDOCU~1.\stem~1
C:\DOCUME~1\Charles\MYDOCU~1.\wnsxs~1
C:\Program Files\asks~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\holem83122.dll
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~1.net\?vchost.exe
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\tsks~1
C:\Program Files\Windows Media Player\progyrtaj.html
C:\WINDOWS\144.exe
C:\WINDOWS\appatc~1
C:\WINDOWS\appatc~1\chkdsk.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\notedad.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\b10FdUe\b10FdUe1099.exe
C:\WINDOWS\system32\clcl14.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\eshxodkw.exe
C:\WINDOWS\system32\gefcbjvc.exe
C:\WINDOWS\system32\iea.dll
C:\WINDOWS\system32\jdroxjjq.exe
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L1\mwspasrt83122.exe
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L3\wr716.exe
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L5\tns2.exe
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\L9
C:\WINDOWS\system32\L9\wb720.exe
C:\WINDOWS\system32\mlfltmxs.exe
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\njltvgnn.exe
C:\WINDOWS\system32\obmits.dll
C:\WINDOWS\system32\onvb.dll
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\qjna.dll
C:\WINDOWS\system32\rbhysmjh.exe
C:\WINDOWS\system32\seehsbyg.exe
C:\WINDOWS\system32\sgkdauhc.exe
C:\WINDOWS\system32\syswin.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wintsvtr.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\l?ass.exe
C:\WINDOWS\system32\wtgbtjdf.exe
C:\WINDOWS\system32\xmeyjffn.exe
C:\WINDOWS\system32\yiuhbfob.exe
C:\WINDOWS\TISKY009.exe
C:\windows\xpupdate.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\DomainService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 01:13 31,254 --a------ C:\WINDOWS\system32\yaywwvt.dll
2007-07-26 01:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 01:10 6,507 --ahs---- C:\WINDOWS\system32\rqtss.bak1
2007-07-26 01:10 228,960 --a------ C:\WINDOWS\system32\sstqr.dll
2007-07-26 00:40 126,016 --a------ C:\WINDOWS\system32\xwjwrxxy.dll
2007-07-25 04:46 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-25 04:33 31,254 --a------ C:\WINDOWS\system32\opnnkif.dll
2007-07-24 15:31 393,224 --a------ C:\sysikgi.exe
2007-07-24 01:08 93,696 --a------ C:\WINDOWS\system32\drvxed.dll
2007-07-24 01:07 31,254 --a------ C:\WINDOWS\system32\tuvuvwu.dll
2007-07-24 00:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-23 14:44 10,240 --a------ C:\WINDOWS\system32\hlpsrv.exe
2007-07-23 00:47 <DIR> d-------- C:\WINDOWS\pss
2007-07-22 16:09 54,784 --a------ C:\WINDOWS\mztpnqu.exe
2007-07-22 16:09 192,612 --a------ C:\WINDOWS\system32\twinqndt.exe
2007-07-22 16:09 171,520 --a------ C:\WINDOWS\system32\tqkydeg.dll
2007-07-22 16:08 <DIR> d-------- C:\WINDOWS\system32\L11
2007-07-22 16:08 <DIR> d-------- C:\Temp\brr
2007-07-22 16:08 <DIR> d-------- C:\Temp\0c2
2007-07-22 16:08 <DIR> d-------- C:\Temp
2007-07-20 01:44 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-20 01:44 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-20 01:44 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-20 01:44 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-07-20 01:44 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-20 01:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-20 01:43 411,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-20 01:43 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-20 01:43 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-20 01:43 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-20 01:42 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-20 00:31 <DIR> d-------- C:\VundoFix Backups
2007-07-17 17:32 93,696 --a------ C:\WINDOWS\system32\drvwah.dll
2007-07-15 15:12 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-15 14:53 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-07-15 14:48 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-07-15 14:48 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-07-15 14:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-12 03:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 02:37 <DIR> d-------- C:\Program Files\Online Services
2007-07-12 02:09 <DIR> d-------- C:\WINDOWS\setup.pss
2007-07-07 01:42 <DIR> d-------- C:\Program Files\Dofus
2007-07-07 01:25 <DIR> d-------- C:\Program Files\DofusArena2
2007-07-04 23:42 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-04 12:15 2,576 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-04 12:12 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-04 12:12 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-04 12:12 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-04 05:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-04 05:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-04 04:29 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-02 01:29 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-07-02 01:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-26 00:41 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-26 00:40 <DIR> d-------- C:\Program Files\Alwil Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 10:40:51 -------- d-----w C:\Program Files\Warcraft III
2007-07-23 11:41:29 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\AdobeUM
2007-07-21 10:17:15 5,900 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-20 01:19:52 -------- d-----w C:\Program Files\DivX
2007-07-20 01:14:52 -------- d-----w C:\Program Files\Viewpoint
2007-07-20 01:05:42 -------- d-----w C:\Program Files\LimeWire
2007-07-15 21:57:13 22,748 -c--a-w C:\WINDOWS\system32\emptyregdb.dat
2007-07-12 10:33:38 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-04 11:35:52 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Lavasoft
2007-07-03 10:20:05 -------- d-----w C:\Program Files\Yahoo!
2007-06-26 05:51:01 -------- d-----w C:\Program Files\AIM Invader
2007-06-26 03:06:10 22,752 ----a-w C:\WINDOWS\War3Unin.dat
2007-06-26 02:00:37 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2007-06-26 02:00:36 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2007-06-17 10:29:29 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Viewpoint
2007-06-17 10:17:02 -------- d-----w C:\Program Files\Realtek AC97
2007-06-17 10:16:37 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 10:16:08 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 09:58:49 -------- d-----w C:\Program Files\AIM6
2007-06-10 11:05:05 -------- d-----w C:\Program Files\iPod
2007-06-10 10:35:01 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-10 10:35:01 -------- d-----w C:\Program Files\AIM
2007-06-06 21:08:40 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Technology Lighthouse
2007-06-05 05:00:06 11 ----a-w C:\WINDOWS\system32\GH31ADSE.DLL
2007-06-05 04:54:41 7 ----a-w C:\WINDOWS\system32\DD0TRAN9.DLL
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-24 10:10:02 7,935 ----a-w C:\WINDOWS\system32\X9JZKC90.DLL
2007-05-24 10:10:02 265 ----a-w C:\WINDOWS\system32\21U1X5I2.DLL
2007-05-08 06:51:03 53,248 ----a-w C:\WINDOWS\system32\zlib.dll
2007-05-08 06:50:56 89,360 ----a-w C:\WINDOWS\system32\VB5DB.DLL
2007-05-08 06:50:51 561,180 ----a-w C:\WINDOWS\system32\dao360.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3c94f2c4-f395-49d3-ad6b-08e9eb1013e0}]
2007-07-22 16:09 171520 --a------ C:\WINDOWS\system32\tqkydeg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8CDE9BD-E15B-49D7-909F-9C0374FEB300}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07E495C-D668-4538-913B-F05F1E466E99}]
2007-07-26 01:10 228960 --a------ C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D365C4D2-092A-419F-89D4-55BAB0696AEE}]
C:\WINDOWS\system32\gebyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECA0D0B1-5FFE-412C-ABB3-ED49325C8512}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-28 11:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ieot"="C:\DOCUME~1\Charles\APPLIC~1\SMBOLS~1\javaw.exe" []
"Xgbkua"="C:\Program Files\Common Files\?icrosoft.NET\?vchost.exe" []
"Regscan"="C:\WINDOWS\system32\regscan.exe" [2006-02-28 05:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-04-06 00:37:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Media Player\progyrtaj.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdbax]
khfdbax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqr]
C:\WINDOWS\system32\sstqr.dll 2007-07-26 01:10 228960 C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Charles\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Charles\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl13]
C:\WINDOWS\system32\clcl13.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl14]
C:\WINDOWS\system32\clcl14.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\system32\drvwah.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\twinqndt.exe SKY009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS\system32\brkvnndr.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]
IExplorer.dll .dbt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mztpnquA]
C:\WINDOWS\mztpnquA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
"C:\WINDOWS\poolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.0\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{95-54-41-1D-ZN}]
c:\windows\system32\mpdsregj.exe SKY009

R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R1 AFS2K;AFS2k;C:\WINDOWS\system32\drivers\AFS2K.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
S0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
S3 XDva007;XDva007;\??\C:\WINDOWS\system32\XDva007.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys


Contents of the 'Scheduled Tasks' folder
2006-11-24 18:03:54 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1155572046.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 01:28:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000008a

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 1:31:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-26 01:30

--- E O F ---

#14 BlackWaltz

BlackWaltz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 26 July 2007 - 12:37 AM

SmitFraudFix v2.207

Scan done at 1:33:51.59, Thu 07/26/2007
Run from C:\Documents and Settings\Charles\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\regscan.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Charles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Charles\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Charles\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows Media Player\\progyrtaj.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://us.a1.yahoofs.com/users/4255c92azbcbe946b/a1fe/__sr_/4fb8.jpg?phIOVgDBQMf3AWY0"
"SubscribedURL"="http://us.a1.yahoofs.com/users/4255c92azbcbe946b/a1fe/__sr_/4fb8.jpg?phIOVgDBQMf3AWY0"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 167.206.245.82
DNS Server Search Order: 167.206.245.18
DNS Server Search Order: 167.206.245.83

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13AADB82-506A-47D5-A6B1-44248840B98A}: DhcpNameServer=167.206.245.82 167.206.245.18 167.206.245.83
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13AADB82-506A-47D5-A6B1-44248840B98A}: DhcpNameServer=167.206.245.82 167.206.245.18 167.206.245.83
HKLM\SYSTEM\CS2\Services\Tcpip\..\{13AADB82-506A-47D5-A6B1-44248840B98A}: DhcpNameServer=167.206.245.82 167.206.245.18 167.206.245.83
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.82 167.206.245.18 167.206.245.83
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.82 167.206.245.18 167.206.245.83
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.82 167.206.245.18 167.206.245.83


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




VundoFix V6.5.6

Checking Java version...

Scan started at 12:31:50 AM 7/20/2007

Listing files found while scanning....

C:\windows\system32\andnxxlc.dll
C:\windows\system32\bahppqsw.exe
C:\windows\system32\baukaqgb.exe
C:\WINDOWS\system32\bivqpjny.dll
C:\windows\system32\btrvsgop.ini
C:\windows\system32\bvfihdpk.dll
C:\windows\system32\byxyxvw.dll
C:\windows\system32\cbxwwur.dll
C:\windows\system32\clxxndna.ini
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.tmp
C:\windows\system32\dlgferif.dll
C:\WINDOWS\system32\eflfwqfv.dll
C:\windows\system32\foogsesm.exe
C:\WINDOWS\system32\geedd.dll
C:\windows\system32\guoocffn.dll
C:\windows\system32\hggfecb.dll
C:\windows\system32\hkkhxemi.dll
C:\windows\system32\ihcottql.exe
C:\windows\system32\ilnjaruu.dll
C:\windows\system32\imexhkkh.ini
C:\windows\system32\jrhrctbv.dll
C:\windows\system32\klxqbobq.exe
C:\windows\system32\kpdhifvb.ini
C:\windows\system32\ljjjhii.dll
C:\windows\system32\lygjvlpy.exe
C:\windows\system32\mvdsxjqw.dll
C:\windows\system32\myqgtugw.ini
C:\windows\system32\nbadcivw.exe
C:\windows\system32\nksdenie.dll
C:\windows\system32\nnnnkif.dll
C:\windows\system32\nqplstdv.ini
C:\windows\system32\nrtirogd.dll
C:\windows\system32\opnnmjk.dll
C:\windows\system32\pjicmxwb.dll
C:\windows\system32\pogsvrtb.dll
C:\windows\system32\pswfwspx.ini
C:\windows\system32\qomkhhh.dll
C:\windows\system32\qtvwlbqt.exe
C:\windows\system32\rmmekeuc.dll
C:\windows\system32\uurajnli.ini
C:\windows\system32\vbtcrhrj.ini
C:\windows\system32\vdtslpqn.dll
C:\windows\system32\wgutgqym.dll
C:\WINDOWS\system32\wvuttrp.dll
C:\windows\system32\xdcymins.exe
C:\windows\system32\xhmdbcsv.exe
C:\windows\system32\xpswfwsp.dll
C:\WINDOWS\system32\yhubnpjy.dll
C:\windows\system32\ynjpqvib.ini

Beginning removal...

Attempting to delete C:\windows\system32\andnxxlc.dll
C:\windows\system32\andnxxlc.dll Has been deleted!

Attempting to delete C:\windows\system32\bahppqsw.exe
C:\windows\system32\bahppqsw.exe Has been deleted!

Attempting to delete C:\windows\system32\baukaqgb.exe
C:\windows\system32\baukaqgb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bivqpjny.dll
C:\WINDOWS\system32\bivqpjny.dll Has been deleted!

Attempting to delete C:\windows\system32\btrvsgop.ini
C:\windows\system32\btrvsgop.ini Has been deleted!

Attempting to delete C:\windows\system32\bvfihdpk.dll
C:\windows\system32\bvfihdpk.dll Has been deleted!

Attempting to delete C:\windows\system32\byxyxvw.dll
C:\windows\system32\byxyxvw.dll Has been deleted!

Attempting to delete C:\windows\system32\cbxwwur.dll
C:\windows\system32\cbxwwur.dll Has been deleted!

Attempting to delete C:\windows\system32\clxxndna.ini
C:\windows\system32\clxxndna.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\windows\system32\dlgferif.dll
C:\windows\system32\dlgferif.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eflfwqfv.dll
C:\WINDOWS\system32\eflfwqfv.dll Has been deleted!

Attempting to delete C:\windows\system32\foogsesm.exe
C:\windows\system32\foogsesm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\windows\system32\guoocffn.dll
C:\windows\system32\guoocffn.dll Has been deleted!

Attempting to delete C:\windows\system32\hggfecb.dll
C:\windows\system32\hggfecb.dll Has been deleted!

Attempting to delete C:\windows\system32\hkkhxemi.dll
C:\windows\system32\hkkhxemi.dll Has been deleted!

Attempting to delete C:\windows\system32\ihcottql.exe
C:\windows\system32\ihcottql.exe Has been deleted!

Attempting to delete C:\windows\system32\ilnjaruu.dll
C:\windows\system32\ilnjaruu.dll Has been deleted!

Attempting to delete C:\windows\system32\imexhkkh.ini
C:\windows\system32\imexhkkh.ini Has been deleted!

Attempting to delete C:\windows\system32\jrhrctbv.dll
C:\windows\system32\jrhrctbv.dll Has been deleted!

Attempting to delete C:\windows\system32\klxqbobq.exe
C:\windows\system32\klxqbobq.exe Has been deleted!

Attempting to delete C:\windows\system32\kpdhifvb.ini
C:\windows\system32\kpdhifvb.ini Has been deleted!

Attempting to delete C:\windows\system32\ljjjhii.dll
C:\windows\system32\ljjjhii.dll Has been deleted!

Attempting to delete C:\windows\system32\lygjvlpy.exe
C:\windows\system32\lygjvlpy.exe Has been deleted!

Attempting to delete C:\windows\system32\mvdsxjqw.dll
C:\windows\system32\mvdsxjqw.dll Has been deleted!

Attempting to delete C:\windows\system32\myqgtugw.ini
C:\windows\system32\myqgtugw.ini Has been deleted!

Attempting to delete C:\windows\system32\nbadcivw.exe
C:\windows\system32\nbadcivw.exe Has been deleted!

Attempting to delete C:\windows\system32\nksdenie.dll
C:\windows\system32\nksdenie.dll Has been deleted!

Attempting to delete C:\windows\system32\nnnnkif.dll
C:\windows\system32\nnnnkif.dll Has been deleted!

Attempting to delete C:\windows\system32\nqplstdv.ini
C:\windows\system32\nqplstdv.ini Has been deleted!

Attempting to delete C:\windows\system32\nrtirogd.dll
C:\windows\system32\nrtirogd.dll Has been deleted!

Attempting to delete C:\windows\system32\opnnmjk.dll
C:\windows\system32\opnnmjk.dll Has been deleted!

Attempting to delete C:\windows\system32\pjicmxwb.dll
C:\windows\system32\pjicmxwb.dll Has been deleted!

Attempting to delete C:\windows\system32\pogsvrtb.dll
C:\windows\system32\pogsvrtb.dll Has been deleted!

Attempting to delete C:\windows\system32\pswfwspx.ini
C:\windows\system32\pswfwspx.ini Has been deleted!

Attempting to delete C:\windows\system32\qomkhhh.dll
C:\windows\system32\qomkhhh.dll Has been deleted!

Attempting to delete C:\windows\system32\qtvwlbqt.exe
C:\windows\system32\qtvwlbqt.exe Has been deleted!

Attempting to delete C:\windows\system32\rmmekeuc.dll
C:\windows\system32\rmmekeuc.dll Has been deleted!

Attempting to delete C:\windows\system32\uurajnli.ini
C:\windows\system32\uurajnli.ini Has been deleted!

Attempting to delete C:\windows\system32\vbtcrhrj.ini
C:\windows\system32\vbtcrhrj.ini Has been deleted!

Attempting to delete C:\windows\system32\vdtslpqn.dll
C:\windows\system32\vdtslpqn.dll Has been deleted!

Attempting to delete C:\windows\system32\wgutgqym.dll
C:\windows\system32\wgutgqym.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuttrp.dll
C:\WINDOWS\system32\wvuttrp.dll Has been deleted!

Attempting to delete C:\windows\system32\xdcymins.exe
C:\windows\system32\xdcymins.exe Has been deleted!

Attempting to delete C:\windows\system32\xhmdbcsv.exe
C:\windows\system32\xhmdbcsv.exe Has been deleted!

Attempting to delete C:\windows\system32\xpswfwsp.dll
C:\windows\system32\xpswfwsp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yhubnpjy.dll
C:\WINDOWS\system32\yhubnpjy.dll Has been deleted!

Attempting to delete C:\windows\system32\ynjpqvib.ini
C:\windows\system32\ynjpqvib.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 1:54:58 AM 7/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.6

Checking Java version...

Scan started at 3:42:31 AM 7/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtsr.dll
C:\windows\system32\brkvnndr.dll
C:\windows\system32\rdnnvkrb.ini
C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\wfwiaaro.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\awtsr.dll Has been deleted!

Attempting to delete C:\windows\system32\brkvnndr.dll
C:\windows\system32\brkvnndr.dll Has been deleted!

Attempting to delete C:\windows\system32\rdnnvkrb.ini
C:\windows\system32\rdnnvkrb.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wfwiaaro.dll
C:\WINDOWS\system32\wfwiaaro.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 12:56:03 AM 7/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\gebyw.dll
C:\windows\system32\tiqrgaii.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Has been deleted!

Attempting to delete C:\windows\system32\tiqrgaii.dll
C:\windows\system32\tiqrgaii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\wybeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 1:06:37 AM 7/26/2007

Listing files found while scanning....

No infected files were found.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:59 AM

Posted 26 July 2007 - 03:58 PM

Hi,

htv8 is really busy nowadays and can't reply here, so I am going to take this over if that's ok for you..

But first.. and important thing... Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.


Do next please..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\mztpnqu.exe
C:\WINDOWS\system32\twinqndt.exe
C:\WINDOWS\system32\tqkydeg.dll
C:\WINDOWS\system32\drvwah.dll
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\yaywwvt.dll
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\xwjwrxxy.dll
C:\Program Files\codec_setup.exe
C:\WINDOWS\system32\opnnkif.dll
C:\sysikgi.exe
C:\WINDOWS\system32\drvxed.dll
C:\WINDOWS\system32\tuvuvwu.dll

FileLook::
C:\WINDOWS\system32\hlpsrv.exe

Folder::
C:\WINDOWS\system32\L11
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3c94f2c4-f395-49d3-ad6b-08e9eb1013e0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8CDE9BD-E15B-49D7-909F-9C0374FEB300}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07E495C-D668-4538-913B-F05F1E466E99}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D365C4D2-092A-419F-89D4-55BAB0696AEE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECA0D0B1-5FFE-412C-ABB3-ED49325C8512}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EF98AF7B-1F54-4079-91BC-3996DEABA45A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ieot"=-
"Xgbkua"=-
"Regscan"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdbax]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl13]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl14]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mztpnquA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{95-54-41-1D-ZN}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users