WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Horse Dropper.agent.7.s Msn Messenger Troubles

Started by kileyray , Apr 30 2007 10:14 PM

Please log in to reply

17 replies to this topic

#1 kileyray

Authentic Member

Authentic Member
22 posts

Posted 30 April 2007 - 10:14 PM

Having some difficulties with my computer. The other evening I thing I downloaded something sent to me offline in MSN messenger. It then took over my computer and started up MSN messenger on it's own and sent out several offline messages. It did several in just a few seconds. Now my AVG keeps showing an trojan horse dropper.agent.7.s warning. I keep sending it to the virus vault or wiping it but nothing helps. I have also ran adaware and spybot with no luck fixing the prob. Thanks in advance....

Logfile of HijackThis v1.99.1
Scan saved at 9:05:08 PM, on 30/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Verbatim\ButtonMonitor\ButtonMonitor.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\retadpu1000904.exe
C:\WINDOWS\retadpu1000904.exe
C:\WINDOWS\retadpu1000904.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/news/display.do
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\Verbatim\ButtonMonitor\/ButtonMonitor.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000904.exe 61A847B5BBF72813329B385F72FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\bqnfbrcm.dll",realset
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxdm824KPCA
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Advertisements

Register to Remove

#2 Markka

Advanced Member

Banned
784 posts

Posted 01 May 2007 - 03:07 AM

Hi and welcome to the forums.

I'm Markka and I will be helping you with your malware issues. I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient.

#3 kileyray

Authentic Member

Authentic Member
22 posts

Posted 01 May 2007 - 09:36 PM

Thanks for the quick reply to let me know you are working on it Markka. I will check back again.

#4 Markka

Advanced Member

Banned
784 posts

Posted 02 May 2007 - 08:46 AM

Hello

You don't have a firewall on your computer. Here are free and good firewalls: (Install only one)

Comodo
OutPost
Kerio
Sygate
ZoneAlarm

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Rename HijackThis.exe to Scanner.exe !

Post:* A fresh HijackThis log
* Contents of C:\ComboFix.txt

#5 kileyray

Authentic Member

Authentic Member
22 posts

Posted 02 May 2007 - 07:58 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:54:07 PM, on 02/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Verbatim\ButtonMonitor\ButtonMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/news/display.do
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {469A7591-94FA-43BF-B8F7-91B00715363B} - C:\WINDOWS\system32\yayvuvs.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy Ware Apps\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D0C8CC2-40CB-4B1E-B6C2-0C572E10BDB3} - C:\WINDOWS\system32\efcdd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\Verbatim\ButtonMonitor\/ButtonMonitor.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000904.exe 61A847B5BBF72813329B385F72FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\bqnfbrcm.dll",realset
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxdm824KPCA
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: efcdd - C:\WINDOWS\system32\efcdd.dll
O20 - Winlogon Notify: fccyxxx - C:\WINDOWS\
O20 - Winlogon Notify: ied026 - ied026.dll (file missing)
O20 - Winlogon Notify: iiffg - C:\WINDOWS\
O20 - Winlogon Notify: rqronom - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayvuvs - C:\WINDOWS\SYSTEM32\yayvuvs.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#6 kileyray

Authentic Member

Authentic Member
22 posts

Posted 02 May 2007 - 07:59 PM

"Korene" - 07-05-02 18:11:13 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Korene\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\cbawx.dll
C:\WINDOWS\system32\xxyvw.dll
C:\WINDOWS\system32\etbpjgku.dll
C:\WINDOWS\system32\jjoakeak.dll
C:\WINDOWS\system32\qcfcxmon.dll
C:\WINDOWS\system32\vgqaqbqv.dll
C:\WINDOWS\system32\mljiihf.dll
C:\WINDOWS\system32\mljjihi.dll
C:\WINDOWS\system32\urqnmmk.dll
C:\WINDOWS\system32\vturonm.dll
C:\WINDOWS\system32\xxyvtus.dll
C:\WINDOWS\system32\xxyxyaw.dll
C:\WINDOWS\system32\xwabc.ini2
C:\WINDOWS\system32\xwabc.tmp
C:\WINDOWS\system32\wvyxx.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\hosts
C:\Program Files\inetget2
C:\Program Files\ipwindows

((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))

2007-05-02 18:05 <DIR> d-------- C:\DOCUME~1\Korene\APPLIC~1\Comodo
2007-05-02 18:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-05-02 17:58 <DIR> d-------- C:\Program Files\Comodo
2007-05-01 20:49 869,950 ---hs---- C:\WINDOWS\SYSTEM32\ddcfe.bak1
2007-05-01 20:25 26,678 --a------ C:\WINDOWS\SYSTEM32\nnnlkjh.dll
2007-05-01 20:21 26,678 --a------ C:\WINDOWS\SYSTEM32\nnnkkhh.dll
2007-04-30 20:49 865,376 ---hs---- C:\WINDOWS\SYSTEM32\ddcfe.bak2
2007-04-30 20:49 132,660 --a------ C:\WINDOWS\SYSTEM32\bqnfbrcm.dll
2007-04-30 20:06 26,678 --a------ C:\WINDOWS\SYSTEM32\khfdede.dll
2007-04-30 20:05 270,336 --a------ C:\DOCUME~1\Korene\olo.exe
2007-04-30 20:05 26,678 --a------ C:\WINDOWS\SYSTEM32\pmnkkhe.dll
2007-04-30 20:05 12,374 --a------ C:\DOCUME~1\Korene\sis.exe
2007-04-30 20:01 26,678 --a------ C:\WINDOWS\SYSTEM32\mljklkh.dll
2007-04-30 18:14 284,244 ---hs---- C:\WINDOWS\SYSTEM32\efcdd.dll
2007-04-30 18:14 284,244 ---hs---- C:\WINDOWS\SYSTEM32\cbxyx.dll
2007-04-30 17:40 45,056 --a------ C:\WINDOWS\retadpu1000904.exe
2007-04-30 17:40 26,678 --a------ C:\WINDOWS\SYSTEM32\yayvuvs.dll
2007-04-26 23:31 77,312 --a------ C:\WINDOWS\ua2.dll
2007-04-26 22:01 272,384 --a--c--- C:\kk.exe
2007-04-26 21:59 956,525 ---hs---- C:\WINDOWS\SYSTEM32\gffii.bak2
2007-04-26 21:28 961,837 ---hs---- C:\WINDOWS\SYSTEM32\gffii.ini2
2007-04-26 17:31 956,193 ---hs---- C:\WINDOWS\SYSTEM32\gffii.bak1
2007-04-26 17:24 272,384 --a------ C:\WINDOWS\kk.exe
2007-04-24 10:11 <DIR> d-------- C:\Program Files\Showoff Home Design
2007-04-22 16:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-22 14:01 <DIR> d-------- C:\Program Files\Bonjour
2007-04-22 13:45 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-15 09:59 81 --a--c--- C:\CTX.DAT
2007-04-15 09:59 <DIR> d-------- C:\DOCUME~1\Korene\Citrix
2007-04-10 18:05 <DIR> d-------- C:\Program Files\Verbatim
2007-04-09 13:33 <DIR> d-------- C:\Program Files\Benjamin Moore

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-27 18:38 62266 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-04-26 17:25 -------- d-------- C:\Program Files\msn messenger
2007-04-22 19:08 -------- d-------- C:\Program Files\google
2007-04-22 18:58 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 20:54 77312 --a------ C:\WINDOWS\SYSTEM32\twain_32.dll
2007-03-21 20:54 69632 --a------ C:\WINDOWS\SYSTEM32\twunk_32.exe
2007-03-21 20:54 48560 --a------ C:\WINDOWS\SYSTEM32\twunk_16.exe
2007-03-19 17:32 -------- d-------- C:\Program Files\logitech
2007-03-18 10:32 44288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-03-17 06:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-15 07:08 101438 --a------ C:\WINDOWS\b122.exe
2007-03-08 08:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-08 00:24 323624 --a------ C:\WINDOWS\SYSTEM32\wiaaut.dll
2007-02-05 13:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll
2007-02-03 10:32 527136 --a------ C:\WINDOWS\SYSTEM32\lvui2rc.dll
2007-02-03 10:32 215840 --a------ C:\WINDOWS\SYSTEM32\lvui2.dll
2007-02-03 10:29 264992 --a------ C:\WINDOWS\SYSTEM32\lvcodec2.dll
2007-02-03 10:29 129824 --a------ C:\WINDOWS\SYSTEM32\lvci1051.dll
2007-02-03 09:01 13398 --a------ C:\WINDOWS\SYSTEM32\repository.reg

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{469A7591-94FA-43BF-B8F7-91B00715363B} C:\WINDOWS\system32\yayvuvs.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\Spy Ware Apps\SpywareGuard\dlprotect.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{8D0C8CC2-40CB-4B1E-B6C2-0C572E10BDB3} C:\WINDOWS\system32\efcdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PCTVOICE"="pctspk.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"VF0070 STISvc"="RunDLL32.exe V0070Pin.dll,RunDLL32EP 513"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\TELUSE~1\\SMARTB~1\\MotiveSB.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"LogitechQuickCamRibbon"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
"ButtonMonitor"="C:\\Program Files\\Verbatim\\ButtonMonitor\\/ButtonMonitor.exe"
"runner1"="C:\\WINDOWS\\retadpu1000904.exe 61A847B5BBF72813329B385F72FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\bqnfbrcm.dll\",realset"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PopUpStopperFreeEdition"="\"C:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe\""
"Registry Cleaner Scheduler"="\"C:\\Program Files\\CleanMyPC\\Registry Cleaner\\RCScheduler.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EC496241-89E3-4449-A6EF-9FBC6C8CCA93}"=""
"{0EB1F5A0-D3DD-4F3F-AFFC-9DBE20DB79B0}"=""
"{469A7591-94FA-43BF-B8F7-91B00715363B}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyxxx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ied026
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqronom
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvuvs

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe\" "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="Kodak software updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MimBoot"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MMTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="New.net Startup"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TkBellExe"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CMDAGENT
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CMDMON
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_INSPECT

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20050815-090930-458
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
backup-20050503-032545-940
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20050503-032534-675
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20050502-164216-896
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
backup-20050502-164216-439
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
backup-20050502-164216-196
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
backup-20050502-164216-807
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
backup-20050502-164216-629
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
backup-20050502-164216-332
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
backup-20050502-164216-523
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20050502-164216-552
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
backup-20050418-184015-711
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup132.cab
backup-20050418-184015-555
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
backup-20050418-184015-733
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch3.dll
backup-20050418-184015-450
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasadm.dll
backup-20050418-184015-947
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\system32\azesearch3.dll
backup-20050418-184014-628
O2 - BHO: AddressBar Class - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - C:\WINDOWS\system32\iasad.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 18:26:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-02 18:27:26
C:\ComboFix-quarantined-files.txt ... 07-05-02 18:27

#7 Markka

Advanced Member

Banned
784 posts

Posted 03 May 2007 - 09:24 AM

Hello

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#8 kileyray

Authentic Member

Authentic Member
22 posts

Posted 03 May 2007 - 08:58 PM

#9 kileyray

Authentic Member

Authentic Member
22 posts

Posted 03 May 2007 - 09:02 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:59:57 PM, on 03/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Verbatim\ButtonMonitor\ButtonMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\HJT\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/news/display.do
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {469A7591-94FA-43BF-B8F7-91B00715363B} - C:\WINDOWS\system32\yayvuvs.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy Ware Apps\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D0C8CC2-40CB-4B1E-B6C2-0C572E10BDB3} - C:\WINDOWS\system32\efcdd.dll (file missing)
O2 - BHO: (no name) - {B5016BC2-13B0-44A2-B4A4-80B06DA086CA} - C:\WINDOWS\system32\opnnn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\Verbatim\ButtonMonitor\/ButtonMonitor.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000904.exe 61A847B5BBF72813329B385F72FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\bqnfbrcm.dll",realset
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\fbvfffpa.dll",realset
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxdm824KPCA
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: fccyxxx - C:\WINDOWS\
O20 - Winlogon Notify: ied026 - ied026.dll (file missing)
O20 - Winlogon Notify: iiffg - C:\WINDOWS\
O20 - Winlogon Notify: opnnn - C:\WINDOWS\system32\opnnn.dll
O20 - Winlogon Notify: rqronom - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayvuvs - C:\WINDOWS\SYSTEM32\yayvuvs.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#10 Markka

Advanced Member

Banned
784 posts

Posted 04 May 2007 - 06:23 AM

Hello

Before we'll continue I would like you to too upload few malware files for further inspection.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

Please go here to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
- Click "Browse" on the 1. field.
  Browse to the following file and click the file with your mouse, press "Open"
  C:\WINDOWS\system32\opnnn.dll
In the comments, please mention that I asked you to upload this file
Click on Send File

Thank you

You should send this file also to the Uploadmalware.com
C:\WINDOWS\system32\yayvuvs.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens,Click Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\opnnn.dll
- C:\WINDOWS\system32\nnnpo.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Re-run the vundofix: (note; now we are going to delete second vundo file!)

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens,Click Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\yayvuvs.dll
- C:\WINDOWS\system32\svuvyay.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Advertisements

Register to Remove

#11 kileyray

Authentic Member

Authentic Member
22 posts

Posted 04 May 2007 - 02:53 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:50:25 PM, on 04/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\HJT\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/news/display.do
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {469A7591-94FA-43BF-B8F7-91B00715363B} - C:\WINDOWS\system32\yayvuvs.dll (file missing)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy Ware Apps\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {590A0FE4-1C6C-4ACE-96F5-4D97254DD724} - C:\WINDOWS\system32\urqqr.dll (file missing)
O2 - BHO: (no name) - {8D0C8CC2-40CB-4B1E-B6C2-0C572E10BDB3} - C:\WINDOWS\system32\efcdd.dll (file missing)
O2 - BHO: (no name) - {B5016BC2-13B0-44A2-B4A4-80B06DA086CA} - C:\WINDOWS\system32\opnnn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\Verbatim\ButtonMonitor\/ButtonMonitor.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000904.exe 61A847B5BBF72813329B385F72FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\bqnfbrcm.dll",realset
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\fbvfffpa.dll",realset
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxdm824KPCA
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: fccyxxx - C:\WINDOWS\
O20 - Winlogon Notify: ied026 - ied026.dll (file missing)
O20 - Winlogon Notify: iiffg - C:\WINDOWS\
O20 - Winlogon Notify: rqronom - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#12 kileyray

Authentic Member

Authentic Member
22 posts

Posted 04 May 2007 - 02:56 PM

VundoFix V6.3.21 Checking Java version... Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.5 Old versions of java are exploitable and should be removed. Java version is 1.5.0.7 Old versions of java are exploitable and should be removed. Scan started at 6:36:02 PM 03/05/2007 Listing files found while scanning.... C:\WINDOWS\SYSTEM32\bqnfbrcm.dll C:\WINDOWS\SYSTEM32\bvgeftoa.dll C:\WINDOWS\system32\ddcfe.bak1 C:\WINDOWS\system32\ddcfe.bak2 C:\WINDOWS\system32\ddcfe.ini C:\WINDOWS\system32\efcdd.dll C:\WINDOWS\SYSTEM32\mcrbfnqb.ini Beginning removal... Attempting to delete C:\WINDOWS\SYSTEM32\bqnfbrcm.dll C:\WINDOWS\SYSTEM32\bqnfbrcm.dll Has been deleted! Attempting to delete C:\WINDOWS\SYSTEM32\bvgeftoa.dll C:\WINDOWS\SYSTEM32\bvgeftoa.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ddcfe.bak1 C:\WINDOWS\system32\ddcfe.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\ddcfe.bak2 C:\WINDOWS\system32\ddcfe.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ddcfe.ini C:\WINDOWS\system32\ddcfe.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\efcdd.dll C:\WINDOWS\system32\efcdd.dll Has been deleted! Attempting to delete C:\WINDOWS\SYSTEM32\mcrbfnqb.ini C:\WINDOWS\SYSTEM32\mcrbfnqb.ini Has been deleted! Performing Repairs to the registry. Done! Beginning removal... VundoFix V6.3.21 Checking Java version... Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.5 Old versions of java are exploitable and should be removed. Java version is 1.5.0.7 Old versions of java are exploitable and should be removed. Scan started at 10:30:45 AM 04/05/2007 Listing files found while scanning.... C:\WINDOWS\system32\nnnpo.bak1 C:\WINDOWS\system32\nnnpo.ini C:\WINDOWS\SYSTEM32\oejtqnmr.dll C:\WINDOWS\system32\opnnn.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\nnnpo.bak1 C:\WINDOWS\system32\nnnpo.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\nnnpo.ini C:\WINDOWS\system32\nnnpo.ini Has been deleted! Attempting to delete C:\WINDOWS\SYSTEM32\oejtqnmr.dll C:\WINDOWS\SYSTEM32\oejtqnmr.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\opnnn.dll C:\WINDOWS\system32\opnnn.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.21 Checking Java version... Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.5 Old versions of java are exploitable and should be removed. Java version is 1.5.0.7 Old versions of java are exploitable and should be removed. Scan started at 11:36:40 AM 04/05/2007 Listing files found while scanning.... C:\WINDOWS\system32\rqqru.bak1 C:\WINDOWS\system32\rqqru.ini C:\WINDOWS\system32\urqqr.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\rqqru.bak1 C:\WINDOWS\system32\rqqru.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqqru.ini C:\WINDOWS\system32\rqqru.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\urqqr.dll C:\WINDOWS\system32\urqqr.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\yayvuvs.dll C:\WINDOWS\system32\yayvuvs.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.21 Checking Java version... Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.5 Old versions of java are exploitable and should be removed. Java version is 1.5.0.7 Old versions of java are exploitable and should be removed. Scan started at 12:35:36 PM 04/05/2007 Listing files found while scanning.... No infected files were found. Beginning removal... VundoFix V6.3.21 Checking Java version... Java version is 1.4.2.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.5 Old versions of java are exploitable and should be removed. Java version is 1.5.0.7 Old versions of java are exploitable and should be removed. Scan started at 1:29:45 PM 04/05/2007 Listing files found while scanning.... C:\WINDOWS\system32\rqqru.bak1 C:\WINDOWS\system32\rqqru.ini C:\WINDOWS\system32\urqqr.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\rqqru.bak1 C:\WINDOWS\system32\rqqru.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\rqqru.ini C:\WINDOWS\system32\rqqru.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\urqqr.dll C:\WINDOWS\system32\urqqr.dll Has been deleted! Performing Repairs to the registry. Done!

#13 Markka

Advanced Member

Banned
784 posts

Posted 05 May 2007 - 01:59 AM

Hello

Disable SpywareGuard:

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.
*******************************************************************************************

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

*******************************************************************************************

Open HijackThis, Click Do a system scan only, checkmark these. Then close all others windows except HijackThis and press fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {469A7591-94FA-43BF-B8F7-91B00715363B} - C:\WINDOWS\system32\yayvuvs.dll (file missing)
O2 - BHO: (no name) - {590A0FE4-1C6C-4ACE-96F5-4D97254DD724} - C:\WINDOWS\system32\urqqr.dll (file missing)
O2 - BHO: (no name) - {8D0C8CC2-40CB-4B1E-B6C2-0C572E10BDB3} - C:\WINDOWS\system32\efcdd.dll (file missing)
O2 - BHO: (no name) - {B5016BC2-13B0-44A2-B4A4-80B06DA086CA} - C:\WINDOWS\system32\opnnn.dll (file missing)
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000904.exe 61A847B5BBF72813329B385F72FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\bqnfbrcm.dll",realset
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\fbvfffpa.dll",realset
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxdm824KPCA
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: fccyxxx - C:\WINDOWS\
O20 - Winlogon Notify: ied026 - ied026.dll (file missing)
O20 - Winlogon Notify: iiffg - C:\WINDOWS\
O20 - Winlogon Notify: rqronom - C:\WINDOWS\

*******************************************************************************************

Make your hidden files visible:

Click start
Click my computer
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.

*******************************************************************************************

Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

*******************************************************************************************
Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

*******************************************************************************************

Delete these files: (if found)
C:\WINDOWS\retadpu1000904.exe
C:\WINDOWS\system32\bqnfbrcm.dll
C:\WINDOWS\system32\fbvfffpa.dll

*******************************************************************************************

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

*******************************************************************************************

Post:
- A fresh HijackThis log
- AVG's log

#14 kileyray

Authentic Member

Authentic Member
22 posts

Posted 05 May 2007 - 10:39 AM

--------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 9:19:26 AM 05/05/2007 + Scan result: C:\Program Files\TopText\CHCON.dll -> Adware.EZula : Cleaned with backup (quarantined). C:\Program Files\TopText\CHPON.dll -> Adware.EZula : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0075831.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\70tovmto.ini -> Adware.Sahat : Cleaned with backup (quarantined). C:\WINDOWS\b122.exe -> Adware.Softomate : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0075855.dll -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0077914.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0077995.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1081\A0078092.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1082\A0078098.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined). C:\Program Files\TopText\sepng.dll -> Not-A-Virus.PSWTool.Win32.EZula.bf : Cleaned with backup (quarantined). :mozilla.127:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned. :mozilla.100:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.101:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.102:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.103:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.104:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.105:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.106:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.107:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.108:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.109:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.110:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.111:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.112:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.113:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.114:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.115:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.183:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.233:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.245:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.305:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.92:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.93:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.94:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.95:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.96:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.97:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.98:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.99:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.64:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.65:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.69:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.40:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned. :mozilla.28:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.480:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned. :mozilla.481:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned. :mozilla.59:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned. :mozilla.62:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned. :mozilla.189:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Com : Cleaned. :mozilla.190:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned. :mozilla.191:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned. :mozilla.192:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned. :mozilla.193:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned. :mozilla.27:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.209:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned. :mozilla.76:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.543:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.544:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.545:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.123:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.124:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.125:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.126:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned. :mozilla.26:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Overture : Cleaned. :mozilla.329:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Overture : Cleaned. :mozilla.559:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Paypal : Cleaned. :mozilla.29:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.30:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.31:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.32:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.52:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.53:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.54:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.55:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.355:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned. :mozilla.356:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned. :mozilla.77:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.78:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.79:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.80:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.81:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.82:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.83:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.84:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.85:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.86:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.87:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.7:C:\Documents and Settings\Korene\Application Data\Mozilla\Profiles\default\8bd6biii.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned. :mozilla.176:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.381:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.382:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.383:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.384:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.385:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.398:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.399:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.400:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.401:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned. :mozilla.409:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.410:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.411:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.412:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.413:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.34:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. :mozilla.335:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.336:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.337:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.338:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.358:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.359:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.360:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.361:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.362:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Valuead : Cleaned. :mozilla.496:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned. :mozilla.70:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.71:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.72:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.73:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.74:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.75:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.88:C:\Documents and Settings\Korene\Application Data\Mozilla\Firefox\Profiles\f0xyccr4.default\cookies.txt -> TrackingCookie.Zedo : Cleaned. C:\QooBox\Quarantine\C\Program Files\Ipwindows\UnInstall.exe.vir -> Trojan.Rond : Cleaned with backup (quarantined). C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.exe.vir -> Trojan.Rond : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\A0078036.exe -> Trojan.Rond : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\A0078037.exe -> Trojan.Rond : Cleaned with backup (quarantined). C:\Documents and Settings\Korene\Desktop\olo.exe -> Worm.Agent.a : Cleaned with backup (quarantined). C:\Documents and Settings\Korene\olo.exe -> Worm.Agent.a : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1078\A0077915.exe -> Worm.Agent.a : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\A0077999.exe -> Worm.Agent.a : Cleaned with backup (quarantined). C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\A0078056.exe -> Worm.Agent.a : Cleaned with backup (quarantined). ::Report end

#15 kileyray

Authentic Member

Authentic Member
22 posts

Posted 05 May 2007 - 10:40 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:38:16 AM, on 05/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Verbatim\ButtonMonitor\ButtonMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msrr.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Spy Ware Apps\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\HJT\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/news/display.do
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spy Ware Apps\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\Verbatim\ButtonMonitor\/ButtonMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msrr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spy Ware Apps\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Body Background

skin color theme