Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijackthis Log....help

Started by archer300 , Jun 26 2007 09:24 PM

  • This topic is locked This topic is locked
15 replies to this topic

#1 archer300

archer300

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 26 June 2007 - 09:24 PM

Any help would be greatly appreciated if it helps me get my computer running even slightly better :P


Logfile of HijackThis v1.99.1
Scan saved at 10:23:13 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dale\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\dagovfw.dll,TurnOn2
O4 - HKLM\..\Run: [j4291533] rundll32 C:\WINDOWS\system32\j4291533.dll sook
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\wynoixmr.dll",realset
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F003DD9B-BD7D-46CA-A7FA-3F701C805F44}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

    Advertisements

Register to Remove

#2 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 28 June 2007 - 08:57 AM

  • Hello, and welcome to the forum.

    My name is Simon V., and I'll be glad to help you with your computer problems.

    HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happens.
    I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

    Please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#3 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 28 June 2007 - 10:13 AM

  • Hi :)

  • You have made a topic, requesting help, at CastleCops. As I am helping you now, please post to the topic at CC you are receiving help here. Being helped by two helpers is confusing and time consuming.

    Rename HijackThis
  • Please right-click on HijackThis.exe and choose Rename. Rename it to Scanner.exe.

    VundoFix
  • Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES.
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • A logfile will be saved at C:\\vundofix.txt.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Make an Uninstall List
  • To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:

    Posted Image

    5. Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.

    Report Back
  • Please post the report from VundoFix, and the Uninstall List from HijackThis, along with a new HijackThis log in your next reply.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#4 archer300

archer300

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 28 June 2007 - 02:12 PM

Uninstall Manager list:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.1.0.1
ATI Multimedia Center 8.1.0.0
AVG 7.5
AVG Anti-Spyware 7.5
Bulent's Screen Recorder 3
Canon i450
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
Creative Desktop Wireless
DAO
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Documents To Go
Easy-WebPrint
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
HydraVision
iTunes
Java 2 Runtime Environment, SE v1.4.1_01
Java Web Start
LimeWire 4.8.1
LogonStudio
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft J# Browser Control Utility v1.1 Beta
Microsoft Office 2000 SR-1 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Windows Journal Viewer
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB927977)
MSXML4 Parser
OLYMPUS CAMEDIA Master 4.2
OpenMG Limited Patch 3.2-03-01-31-01
OpenMG Limited Patch 3.2-03-02-07-01
OpenMG Secure Module 3.2
PCI Audio Driver
PopsMedia Site Adviser
Privacy Eraser Pro 4.20
QMusic
RealArcade
Registry Patrol v3.0
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Shockwave
Sound Blaster Audigy
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Terminal Server Client
TrojanHunter 4.7
TypingMaster Pro
UnderCoverXP 1.06
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
VIA Rhine-Family Fast Ethernet Adapter
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
XviD MPEG-4 Video Codec

VundoFix list:


VundoFix V6.5.1

Checking Java version...

Scan started at 5:02:53 PM 6/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqp.dll
C:\windows\system32\bktnuuub.dll
C:\windows\system32\cavaqcuf.dll
C:\windows\system32\cdufdkyl.dll
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\dmyganfc.dll
C:\WINDOWS\system32\dqyfuere.dll
C:\windows\system32\fganvtut.dll
C:\WINDOWS\system32\gxmovcyx.dll
C:\WINDOWS\system32\hhhcyhsi.dll
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ishychhh.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\joawmbrg.dll
C:\windows\system32\kaxyivoh.dll
C:\WINDOWS\system32\osnqhbdt.dll
C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak2
C:\WINDOWS\system32\pqtwa.ini
C:\windows\system32\qpubalui.dll
C:\windows\system32\qyueonyy.dll
C:\windows\system32\rbtfqmwn.dll
C:\WINDOWS\system32\rgdnxnnv.dll
C:\windows\system32\rmxionyw.ini
C:\WINDOWS\system32\rxibvppy.dll
C:\WINDOWS\system32\ssqqomn.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\vgdvebgf.dll
C:\windows\system32\vlpdekbj.dll
C:\WINDOWS\system32\vpuamdds.dll
C:\windows\system32\wumeawaj.dll
C:\WINDOWS\system32\wycdd.bak1
C:\WINDOWS\system32\wycdd.bak2
C:\WINDOWS\system32\wycdd.ini
C:\windows\system32\wynoixmr.dll
C:\windows\system32\xyadd.bak1
C:\windows\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini
C:\windows\system32\yjqfncrw.dll
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\yyadd.bak2
C:\WINDOWS\system32\yyadd.ini
C:\windows\system32\yynoeuyq.ini

Beginning removal...

Attempting to delete C:\windows\system32\bktnuuub.dll
C:\windows\system32\bktnuuub.dll Has been deleted!

Attempting to delete C:\windows\system32\cavaqcuf.dll
C:\windows\system32\cavaqcuf.dll Has been deleted!

Attempting to delete C:\windows\system32\cdufdkyl.dll
C:\windows\system32\cdufdkyl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\ddayx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dmyganfc.dll
C:\WINDOWS\system32\dmyganfc.dll Has been deleted!

Attempting to delete C:\windows\system32\fganvtut.dll
C:\windows\system32\fganvtut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhcyhsi.dll
C:\WINDOWS\system32\hhhcyhsi.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ishychhh.ini
C:\WINDOWS\system32\ishychhh.ini Has been deleted!

Attempting to delete C:\windows\system32\kaxyivoh.dll
C:\windows\system32\kaxyivoh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.bak2
C:\WINDOWS\system32\pqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini Has been deleted!

Attempting to delete C:\windows\system32\qpubalui.dll
C:\windows\system32\qpubalui.dll Has been deleted!

Attempting to delete C:\windows\system32\qyueonyy.dll
C:\windows\system32\qyueonyy.dll Has been deleted!

Attempting to delete C:\windows\system32\rbtfqmwn.dll
C:\windows\system32\rbtfqmwn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rgdnxnnv.dll
C:\WINDOWS\system32\rgdnxnnv.dll Has been deleted!

Attempting to delete C:\windows\system32\rmxionyw.ini
C:\windows\system32\rmxionyw.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqomn.dll
C:\WINDOWS\system32\ssqqomn.dll Has been deleted!

Attempting to delete C:\windows\system32\vlpdekbj.dll
C:\windows\system32\vlpdekbj.dll Has been deleted!

Attempting to delete C:\windows\system32\wumeawaj.dll
C:\windows\system32\wumeawaj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.bak1
C:\WINDOWS\system32\wycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.bak2
C:\WINDOWS\system32\wycdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini Has been deleted!

Attempting to delete C:\windows\system32\wynoixmr.dll
C:\windows\system32\wynoixmr.dll Has been deleted!

Attempting to delete C:\windows\system32\xyadd.bak1
C:\windows\system32\xyadd.bak1 Has been deleted!

Attempting to delete C:\windows\system32\xyadd.bak2
C:\windows\system32\xyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xyadd.ini
C:\WINDOWS\system32\xyadd.ini Has been deleted!

Attempting to delete C:\windows\system32\yjqfncrw.dll
C:\windows\system32\yjqfncrw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\yyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.bak2
C:\WINDOWS\system32\yyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\system32\yyadd.ini Has been deleted!

Attempting to delete C:\windows\system32\yynoeuyq.ini
C:\windows\system32\yynoeuyq.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hhhcyhsi.dll
C:\WINDOWS\system32\hhhcyhsi.dll Has been deleted!

Performing Repairs to the registry.
Done!

And new Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:09:58 PM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dale\Desktop\VundoFix.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dale\Desktop\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C8F5DF8-5ACD-44C2-AA50-416E93088B4f} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\dagovfw.dll,TurnOn2
O4 - HKLM\..\Run: [j4291533] rundll32 C:\WINDOWS\system32\j4291533.dll sook
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F003DD9B-BD7D-46CA-A7FA-3F701C805F44}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Note: I Ran a Few scanners after reading that Malware Removal Program on Castlecops to speed up the process a bit.

Thank you for helping me, it is greatly Appreciated. I understand you guys help people on ure spare time and for that I thank you! I also understand that you are a Trainee, and would like to thank you for taking the time out to learn to help other people.

Edited by archer300, 28 June 2007 - 02:34 PM.

#5 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 29 June 2007 - 07:31 AM

  • Hi :)

  • You seem to have HijackThis 2.0.0 installed. This version is still being tested, and should not be used. Instead, please continue using version 1.99.1. To avoid confusion, please uninstall version 2.0.0 by doing the following:
  • Click on Start, then Control Panel. Double click on Add or Remove Programs.

    Please remove the following program:
    • HijackThis 2.0.0
    AVG Anti-Spyware
  • Please download and install AVG Anti-Spyware.

    After the installation, open AVG Anti-Spyware and do the following:
    • Under 'Status', click on Change state, next to 'Resident shield' (this will change from Active to Inactive)
    • Under the 'Update' tab, click on 'Start update'.
    • Under 'Scanner', click on the 'Settings' tab:
      • Under 'How to act?', click on 'Recommended actions', and select Quarantine.
      • Under 'Reports', select 'Automatically generate report after every scan', and remove the check next to 'Only if threats were found'
    Close AVG Anti-Spyware. Do not let it scan yet.

    CCleaner
  • CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
    • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
    • Then select the items you wish to clean up.
      • In the Windows Tab:
        • Clean all entries in the Internet Explorer section except Cookies.
        • Clean all the entries in the Windows Explorer section.
        • Clean all entries in the System section.
        • Clean all entries in the Advanced section.
        • Clean any others that you choose.
      • In the Applications Tab:
        • Clean all except Cookies in the Firefox/Mozilla section (if you use it).
        • Clean all in the Opera section (if you use it).
        • Clean Sun Java in the Internet Section.
        • Clean any others that you choose.
    • Click the Run Cleaner button.
    • A pop up box will appear advising this process will permanently delete files from your system.
    • Click OK and it will scan and clean your system.
    • Click exit when done.
    • If it asks you to reboot at the end, click NO.
  • CCleaner should be run with the above settings for each User Account!

    ComboFix
  • Please download Combofix from one of the links below:

    http://download.blee...Bs/ComboFix.exe
    http://www.techsuppo...Bs/ComboFix.exe
  • Double-click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Save it to a convenient location.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Fix Entries with HijackThis
  • Open HijackThis, perform a scan and put a check next to the following items (if present):

    O2 - BHO: (no name) - {1C8F5DF8-5ACD-44C2-AA50-416E93088B4f} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\dagovfw.dll,TurnOn2
    O4 - HKLM\..\Run: [j4291533] rundll32 C:\WINDOWS\system32\j4291533.dll sook

    Close all programs except HijackThis and click on Fix checked.

    Safe Mode
  • Print these instructions or copy them to Notepad and save it to your Desktop, as you won't be able to access internet in Safe Mode.
  • Please reboot into Safe Mode. To do this, go to Start>Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)

    Delete Files and Folders
  • Navigate to the following files/folders using Windows Explorer and delete them when found:

    C:\WINDOWS\system32\dagovfw.dll
    C:\WINDOWS\system32\j4291533.dll

    AVG Anti-Spyware
  • Please open AVG Anti-Spyware.
    • Click on the 'Scan' tab.
    • Click on 'Complete System Scan' to start the scan process.
    • After the scan, do the following:Important: Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not, click on the link and select 'Quarantine' from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
    • When done, click the 'Save Report' (4) button, and save the file to your Desktop.
    Posted Image.
  • Reboot into Normal Mode.

    Report Back
  • Please post the reports from Combofix and AVG Anti-Spwyware, along with a new HijackThis log in your next reply.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#6 archer300

archer300

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 29 June 2007 - 06:30 PM

I cant seem to boot into safe mode, might it be because im using a wireless keyboard and mouse?

#7 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 30 June 2007 - 08:41 AM

Hi :) Have you tried another F-key, instead of F8? Sometimes, you can enter Safe Mode by pressing F5 or F2. If this doesn't work please follow the instructions as outlined, but after the step 'Fix Entries with HijackThis', reboot into Normal Mode, instead of Safe Mode. Run AVG Anti-Spyware in Normal Mode. Please tell me if there are files you can't delete.
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#8 archer300

archer300

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 30 June 2007 - 04:49 PM

Couldnt find (C:\WINDOWS\system32\dagovfw.dll) or (C:\WINDOWS\system32\j4291533.dll) to delete, Also, I followed the instructions, but when i went to go save the report...it wouldnt let me click save report, the button just froze. Computer didnt boot into safe mode because my keyboard doesnt turn on untill windows loads. Here are the logs for Combofix and Hijackthis:

"Dale" - 2007-06-29 19:06:38 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\vgqrxhsi.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\drivecleaner free
C:\Program Files\PopsMedia Site Adviser
C:\Program Files\PopsMedia Site Adviser\vm5_killer.exe
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\silc_dll.dll


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-29 19:06 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 19:26 <DIR> d-------- C:\DOCUME~1\Dale\APPLIC~1\TrojanHunter
2007-06-27 19:25 <DIR> d-------- C:\{00002A3A-0000-0000-1227-BED219CF8ECB}
2007-06-27 19:25 <DIR> d-------- C:\{00002394-0000-0000-C886-59AE0CA0DBF8}
2007-06-27 17:51 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-06-27 17:29 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-06-27 17:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-27 17:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-27 17:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-27 17:24 <DIR> d-------- C:\DOCUME~1\Dale\APPLIC~1\SUPERAntiSpyware.com
2007-06-27 17:02 <DIR> d-------- C:\VundoFix Backups
2007-06-22 22:00 4,628 --a------ C:\WINDOWS\system32\vywlvhsp.exe
2007-05-30 15:29 <DIR> d-------- C:\Program Files\PopsMedia
2007-05-30 15:29 <DIR> d-------- C:\Program Files\DriveCleaner Search Toolbar
2007-05-29 15:49 405,504 --a------ C:\WINDOWS\undst.exe
2007-05-29 15:49 26,886 --a------ C:\WINDOWS\system32\dagovfw.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 00:11:10 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000004-00511102}.dat
2007-06-30 00:11:10 24 ----a-w C:\WINDOWS\system32\DVCState-{00000000-00000000-00000009-00001102-00000004-00511102}.dat
2007-06-27 00:17:57 -------- d-----w C:\Program Files\Google
2007-06-05 22:35:43 2,048 ----a-w C:\WINDOWS\system32\Tr_sttool.dat
2007-05-30 20:29:28 -------- d-----w C:\Program Files\IncrediMail
2007-05-30 20:29:27 -------- d-----w C:\Program Files\InterActual
2007-05-29 20:43:44 -------- d-----w C:\Program Files\Common Files\Real
2007-05-29 20:41:58 -------- d-----w C:\DOCUME~1\Dale\APPLIC~1\Real
2007-05-23 02:39:04 -------- d-----w C:\Program Files\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 19:08:45 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-12 00:43:29 988,590 --sha-w C:\WINDOWS\system32\rttss.bak2
2007-05-11 23:43:23 985,295 --sha-w C:\WINDOWS\system32\rttss.bak1
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-14 03:04:21 2,933 -c--a-w C:\WINDOWS\mozver.dat
2007-04-02 20:23:23 794,532 --sha-w C:\WINDOWS\system32\orqss.bak1
2007-04-02 20:23:16 795,196 --sha-w C:\WINDOWS\system32\orqss.bak2


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-23 22:15]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 15:25]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-04-02 02:00]
"CTStartup"="C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe" [2001-06-04 01:00]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 14:52]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskTray"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe" [2001-06-29 01:00]
"Taskbar"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe" [2001-07-26 01:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:15]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-06-29 15:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dale^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Dale\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dale^Start Menu^Programs^Startup^UCmore XP - The Search Accelerator.lnk]
path=C:\Documents and Settings\Dale\Start Menu\Programs\Startup\UCmore XP - The Search Accelerator.lnk
backup=C:\WINDOWS\pss\UCmore XP - The Search Accelerator.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CNYHKey]
CNYHKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMouse ]
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
rundll32.exe EGCOMLIB_1035.dll,InstantAccess

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QMusic]
"C:\Program Files\BenQ\QMusic2\QMAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopHid]
StopHid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 19:15:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@?$?@?? C?????U?@?????????@?B???A???????A?p ????B???@?????P???$?@? ????????A~??????????@?A?????????????????B?????| ????????????????????????????B
CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???????L:2???A~??A~????????\???\???????$???U?A~??A~\???\?????????_???????B~\???\??????s????\??????s\???0:2?A??s0:2???B~???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 19:16:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-29 19:16

--- E O F ---


________________________________________________________________________________
_____________________________________


Logfile of HijackThis v1.99.1
Scan saved at 5:48:37 PM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dale\Desktop\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F003DD9B-BD7D-46CA-A7FA-3F701C805F44}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

#9 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 01 July 2007 - 04:10 AM

  • Hi :)

    Show Hidden Files and Folders
  • Be sure that you are set to see hidden files and folders:
    • Close all programs so that you are at your desktop.
    • Double-click on the My Computer icon.
    • Select the Tools menu and click Folder Options.
    • After the new window appears select the View tab.
    • Put a checkmark in the checkbox labelled Display the contents of system folders.
    • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    • Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
    • Remove the checkmark from the checkbox labelled Hide protected operating system files.
    • Press the Apply button and then the OK button and shutdown My Computer.
    Upload Files to Virustotal
  • Please visit Virustotal
    • Click the Browse... button.
    • Navigate to the file C:\WINDOWS\system32\vywlvhsp.exe
    • Click the Open button.
    • Click the Send button.
    • Also do this for:

      C:\WINDOWS\undst.exe
    • Copy and paste the results in Notepad, and save them to your desktop, so you can post them in your next reply.
    Run Kaspersky Online Scan
  • Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky,
    Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
      • Scan Options:
      Scan Archives Scan Mail Bases
    • Click OK
    • Now under select a target to scan:Select My Computer
    • The program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    Report Back
  • Please post the reports from the Virustotal Scans and the Kasperky Online Scan, along with a new HijackThis log in your next reply.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#10 archer300

archer300

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 01 July 2007 - 10:16 PM

UNDST.EXE Antivirus Version Update Result AhnLab-V3 2007.6.30.0 06.29.2007 no virus found AntiVir 7.4.0.37 07.01.2007 no virus found Authentium 4.93.8 06.29.2007 no virus found Avast 4.7.997.0 07.02.2007 no virus found AVG 7.5.0.476 07.01.2007 no virus found BitDefender 7.2 07.02.2007 no virus found CAT-QuickHeal 9.00 06.30.2007 no virus found ClamAV devel-20070416 07.01.2007 no virus found DrWeb 4.33 07.02.2007 no virus found eSafe 7.0.15.0 06.30.2007 no virus found eTrust-Vet 30.8.3752 06.29.2007 no virus found Ewido 4.0 07.01.2007 no virus found FileAdvisor 1 07.02.2007 no virus found Fortinet 2.91.0.0 07.01.2007 no virus found F-Prot 4.3.2.48 06.29.2007 no virus found F-Secure 6.70.13030.0 07.02.2007 no virus found Ikarus T3.1.1.8 07.01.2007 no virus found Kaspersky 4.0.2.24 07.02.2007 no virus found McAfee 5064 06.29.2007 no virus found Microsoft 1.2701 07.02.2007 no virus found NOD32v2 2368 07.01.2007 no virus found Norman 5.80.02 06.29.2007 no virus found Panda 9.0.0.4 07.01.2007 Suspicious file Sophos 4.19.0 06.28.2007 no virus found Sunbelt 2.2.907.0 06.29.2007 no virus found Symantec 10 07.02.2007 no virus found TheHacker 6.1.6.140 06.28.2007 no virus found VBA32 3.12.0.2 07.02.2007 no virus found VirusBuster 4.3.23:9 07.01.2007 no virus found Webwasher-Gateway 6.0.1 07.01.2007 no virus found -------------------------------------------------------------------------------------------------------------------- vywlvhsp.exe Antivirus Version Update Result AhnLab-V3 2007.6.30.0 06.29.2007 no virus found AntiVir 7.4.0.37 07.01.2007 TR/Click.Agent.NP Authentium 4.93.8 06.29.2007 no virus found Avast 4.7.997.0 07.02.2007 no virus found AVG 7.5.0.476 07.01.2007 no virus found BitDefender 7.2 07.02.2007 Trojan.Clicker.Agent.NP CAT-QuickHeal 9.00 06.30.2007 no virus found ClamAV devel-20070416 07.01.2007 no virus found DrWeb 4.33 07.02.2007 Trojan.Click.2799 eSafe 7.0.15.0 06.30.2007 no virus found eTrust-Vet 30.8.3752 06.29.2007 no virus found Ewido 4.0 07.01.2007 Downloader.Tiny.id FileAdvisor 1 07.02.2007 no virus found Fortinet 2.91.0.0 07.01.2007 no virus found F-Prot 4.3.2.48 06.29.2007 no virus found F-Secure 6.70.13030.0 07.02.2007 Trojan-Downloader.Win32.Tiny.id Ikarus T3.1.1.8 07.01.2007 Trojan.Click.2799 Kaspersky 4.0.2.24 07.02.2007 Trojan-Downloader.Win32.Tiny.id McAfee 5064 06.29.2007 no virus found Microsoft 1.2701 07.02.2007 no virus found NOD32v2 2368 07.01.2007 no virus found Norman 5.80.02 06.29.2007 no virus found Panda 9.0.0.4 07.01.2007 Trj/Downloader.PCQ Sophos 4.19.0 06.28.2007 no virus found Sunbelt 2.2.907.0 06.29.2007 no virus found Symantec 10 07.02.2007 Trojan Horse TheHacker 6.1.6.140 06.28.2007 no virus found VBA32 3.12.0.2 07.02.2007 Trojan.Click.2799 VirusBuster 4.3.23:9 07.01.2007 no virus found Webwasher-Gateway 6.0.1 07.01.2007 Trojan.Click.Agent.NP ------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, July 01, 2007 11:14:07 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 2/07/2007 Kaspersky Anti-Virus database records: 356320 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 67359 Number of viruses found: 12 Number of infected objects: 38 Number of suspicious objects: 0 Duration of the scan process: 01:10:59 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys9a27dbb5bb0097af37e0991a435f491_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12145e1c751bd0602bb1befd0a0ae15a_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12dacef2506a274619e5a6b8b8069d89_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16add2a8619eea85fcef144b038b7722_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16b8dfef48253651ca11aa7d365faae0_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ef74c7abf9539b79f69208173af5ad7_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\25b8c4f7b69d04b12e1b11b30592bb06_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\283ced1b43bb45009cd7f36540e82677_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2e1dbaa42dd332031208fc508d44d85c_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\34112d3493146fb137f13a9106871bf7_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35313f948119e45832bd65bdbc3987ad_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\41be4c85c8e05c1462a93f0d380deb94_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4365040a2f7e4fd09a82769743305c08_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\54cef422d9f590905b733bfb6d5ec5f4_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c6f8208d7f9b5cfa1eaf95739054eda_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f3cff4a6cf928d6fabe5a5abfc4251a_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6514aa4a29919d41e559e87d4e91310d_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\697efb9de3c7899596a6497e23f22c90_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6acf6c60324116c552fadcd335abce27_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6fe196428d4f08f883c29d0c0211e2fe_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\726c9992cfcf587260bfce420ca25203_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\790b84b6a21d164a243688e99e89e60a_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\99a3d6920a9296a2d253083762b362a7_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\99c1df85baa8f43fe5902b7b8877123b_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a1762d6b5013bb4882b6430dfc7b5f91_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a55db92c37721fbf20d873f3499e9f98_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\acfa0215160f99e86e15f77904988eac_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ae82faabce84bc339f44d571d4f27574_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b07d11ef1f939b98ceeb3ed6d3c38ae5_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf0d5b2a122337f25bbc75bc70da8e64_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c34210eab5645aaa90d268a3d26930d0_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c52e70ace85f1cae79110005472a9967_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c78c298d15d82216b1cfaf32ad62014f_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d9876be174fa8c59f29350edcfa34d93_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e05404892189f00ceb6c0af60bbd1d75_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e407930cb31e688aed19c3479efe7047_c67babbf-4b20-406e-8112-590a0a7361f3 Object is locked skipped C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped C:\Documents and Settings\Dale\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped C:\Documents and Settings\Dale\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Messenger\drunkman1234@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Messenger\drunkman1234@hotmail.com\SharingMetadata\pending.dat Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Messenger\drunkman1234@hotmail.com\SharingMetadata\Working\database_84C0_8738_C087_2F8A\dfsr.db Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Messenger\drunkman1234@hotmail.com\SharingMetadata\Working\database_84C0_8738_C087_2F8A\fsr.log Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Messenger\drunkman1234@hotmail.com\SharingMetadata\Working\database_84C0_8738_C087_2F8A\tmp.edb Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Windows Live Contacts\drunkman1234@hotmail.com\real\members.stg Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Windows Live Contacts\drunkman1234@hotmail.com\shadow\members.stg Object is locked skipped C:\Documents and Settings\Dale\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Dale\Local Settings\History\History.IE5\MSHist012007070120070702\index.dat Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Temp\~DF2829.tmp Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Temp\~DF2915.tmp Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Temp\~DF417F.tmp Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Temp\~DF41F6.tmp Object is locked skipped C:\Documents and Settings\Dale\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe/WISE0017.BIN Infected: Trojan-Downloader.Win32.Small.bke skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe/WISE0019.BIN/stream/data0007 Infected: not-a-virus:AdWare.Win32.ActivShopper.a skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe/WISE0019.BIN/stream/data0008 Infected: not-a-virus:AdWare.Win32.ActivShopper.a skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe/WISE0019.BIN/stream Infected: not-a-virus:AdWare.Win32.ActivShopper.a skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.ActivShopper.a skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe WiseSFX: infected - 6 skipped C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe WiseSFX Dropper: infected - 6 skipped C:\Documents and Settings\Dale\ntuser.dat Object is locked skipped C:\Documents and Settings\Dale\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\QooBox\Quarantine\C\WINDOWS\system32\vgqrxhsi.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP664\A0744498.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP664\A0744585.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP664\A0744586.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP664\A0744609.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP665\A0745630.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP665\A0745632.exe Infected: not-a-virus:AdWare.Win32.AdWeb.a skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP665\A0746676.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP666\A0746733.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP668\A0746758.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP668\A0746765.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP668\A0746772.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP668\A0746780.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP669\A0746836.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP671\A0748029.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped C:\System Volume Information\_restore{F3E05A8B-BB8B-4BC5-A869-3CA07A673408}\RP673\change.log Object is locked skipped C:\VundoFix Backups\ddayx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\VundoFix Backups\hhhcyhsi.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\VundoFix Backups\qyueonyy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\VundoFix Backups\wynoixmr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{0980CAA7-08D6-4E03-994F-2B9D8957FB4E}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\KVIF_7.dll/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped C:\WINDOWS\system32\KVIF_7.dll/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped C:\WINDOWS\system32\KVIF_7.dll/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped C:\WINDOWS\system32\KVIF_7.dll/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped C:\WINDOWS\system32\KVIF_7.dll/data0008 Infected: Trojan-Downloader.Win32.Keenval.e skipped C:\WINDOWS\system32\KVIF_7.dll/data0009 Infected: Trojan-Downloader.Win32.Keenval.e skipped C:\WINDOWS\system32\KVIF_7.dll NSIS: infected - 6 skipped C:\WINDOWS\system32\KVIF_7.dll Exe2Dll: infected - 6 skipped C:\WINDOWS\system32\vywlvhsp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\Xcite.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\{00000000-00000000-00000009-00001102-00000004-00511102}.CDF Object is locked skipped Scan process completed.

    Advertisements

Register to Remove

#11 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 02 July 2007 - 08:28 AM

  • Hi :)

    Combofix
  • Open Notepad, and copy/paste the text in the quotebox below into it:

    File::

C:\WINDOWS\system32\dagovfw.dll
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\vywlvhsp.exe
C:\WINDOWS\system32\KVIF_7.dll
C:\WINDOWS\system32\Xcite.dll
C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe
C:\Program Files\MSN Messenger\riched20.dll


Folder::

C:\VundoFix Backups
C:\Program Files\DriveCleaner Search Toolbar
  • Save this as ComboFix-Do.txt.

    Posted Image
  • Referring to the picture above, drag ComboFix-Do.txt into ComboFix.exe.
  • It will create a log. Be sure to save it to a convenient location.

    Download and Run Blacklight
  • Download F-Secure Blacklight (fsbl.exe) to your desktop from here.
    • Open it and click Accept Agreement.
    • Click Scan.
    • After the scan is complete, click Next, then Exit.
    • It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan).
    Report Back
  • Please post the reports from Combofix and Blacklight, along with a new HijackThis log in your next reply.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#12 archer300

archer300

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 02 July 2007 - 09:35 PM

"Dale" - 2007-07-02 14:42:24 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Dale\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Dale\My Documents\My Received Files\120007.exe
C:\Program Files\DriveCleaner Search Toolbar
C:\Program Files\DriveCleaner Search Toolbar\data.ini
C:\Program Files\MSN Messenger\riched20.dll
C:\VundoFix Backups
C:\VundoFix Backups\ddayx.dll.bad
C:\VundoFix Backups\hhhcyhsi.dll.bad
C:\VundoFix Backups\ilkkj.bak1.bad
C:\VundoFix Backups\ilkkj.ini.bad
C:\VundoFix Backups\ishychhh.ini.bad
C:\VundoFix Backups\pqtwa.bak1.bad
C:\VundoFix Backups\pqtwa.bak2.bad
C:\VundoFix Backups\pqtwa.ini.bad
C:\VundoFix Backups\qyueonyy.dll.bad
C:\VundoFix Backups\rmxionyw.ini.bad
C:\VundoFix Backups\wycdd.bak1.bad
C:\VundoFix Backups\wycdd.bak2.bad
C:\VundoFix Backups\wycdd.ini.bad
C:\VundoFix Backups\wynoixmr.dll.bad
C:\VundoFix Backups\xyadd.bak1.bad
C:\VundoFix Backups\xyadd.bak2.bad
C:\VundoFix Backups\xyadd.ini.bad
C:\VundoFix Backups\yyadd.bak1.bad
C:\VundoFix Backups\yyadd.bak2.bad
C:\VundoFix Backups\yyadd.ini.bad
C:\VundoFix Backups\yynoeuyq.ini.bad
C:\WINDOWS\system32\dagovfw.dll
C:\WINDOWS\system32\KVIF_7.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\vywlvhsp.exe
C:\WINDOWS\system32\Xcite.dll


((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))


2007-07-01 21:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-01 21:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-29 19:06 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 19:26 <DIR> d-------- C:\DOCUME~1\Dale\APPLIC~1\TrojanHunter
2007-06-27 19:25 <DIR> d-------- C:\{00002A3A-0000-0000-1227-BED219CF8ECB}
2007-06-27 19:25 <DIR> d-------- C:\{00002394-0000-0000-C886-59AE0CA0DBF8}
2007-06-27 17:51 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-06-27 17:29 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-06-27 17:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-27 17:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-27 17:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-27 17:24 <DIR> d-------- C:\DOCUME~1\Dale\APPLIC~1\SUPERAntiSpyware.com


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 19:45:27 -------- d-----w C:\Program Files\MSN Messenger
2007-07-02 19:05:36 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000004-00511102}.dat
2007-07-02 19:05:36 24 ----a-w C:\WINDOWS\system32\DVCState-{00000000-00000000-00000009-00001102-00000004-00511102}.dat
2007-06-27 00:17:57 -------- d-----w C:\Program Files\Google
2007-06-05 22:35:43 2,048 ----a-w C:\WINDOWS\system32\Tr_sttool.dat
2007-05-30 20:29:28 -------- d-----w C:\Program Files\PopsMedia
2007-05-30 20:29:28 -------- d-----w C:\Program Files\IncrediMail
2007-05-30 20:29:27 -------- d-----w C:\Program Files\InterActual
2007-05-30 12:10:42 10,872 ----a-w C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-29 20:43:44 -------- d-----w C:\Program Files\Common Files\Real
2007-05-29 20:41:58 -------- d-----w C:\DOCUME~1\Dale\APPLIC~1\Real
2007-05-23 02:39:04 -------- d-----w C:\Program Files\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 19:08:45 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-27 14:31:20 405,504 ----a-w C:\WINDOWS\undst.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-14 03:04:21 2,933 -c--a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-23 22:15]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 15:25]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-04-02 02:00]
"CTStartup"="C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe" [2001-06-04 01:00]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 14:52]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskTray"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe" [2001-06-29 01:00]
"Taskbar"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe" [2001-07-26 01:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:15]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-06-29 15:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dale^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Dale\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dale^Start Menu^Programs^Startup^UCmore XP - The Search Accelerator.lnk]
path=C:\Documents and Settings\Dale\Start Menu\Programs\Startup\UCmore XP - The Search Accelerator.lnk
backup=C:\WINDOWS\pss\UCmore XP - The Search Accelerator.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CNYHKey]
CNYHKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMouse ]
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
rundll32.exe EGCOMLIB_1035.dll,InstantAccess

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QMusic]
"C:\Program Files\BenQ\QMusic2\QMAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopHid]
StopHid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 14:46:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?@ ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?P ????????A~??????????@???????????????????B?????? ????????????????????????????B
CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run????????????x??????s$????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????:2???A~??A~????????\???\???0???$???U?A~??A~\???\???0????da???????B~\???\??????s????\??????s\???h:2?A??sh:2???B~???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-02 14:46:55
C:\ComboFix-quarantined-files.txt ... 2007-07-02 14:46
C:\ComboFix2.txt ... 2007-06-29 19:16

--- E O F ---

-------------------------------------------------------------------------------------------------------------------------------------------------------

BLACKLIGHT

07/02/07 19:18:36 [Info]: BlackLight Engine 1.0.64 initialized
07/02/07 19:18:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/02/07 19:18:36 [Note]: 7019 4
07/02/07 19:18:36 [Note]: 7005 0
07/02/07 19:18:45 [Note]: 7006 0
07/02/07 19:18:45 [Note]: 7011 1760
07/02/07 19:18:46 [Note]: 7026 0
07/02/07 19:18:46 [Note]: 7026 0
07/02/07 19:18:48 [Note]: FSRAW library version 1.7.1022

---------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:31:53 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dale\Desktop\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F003DD9B-BD7D-46CA-A7FA-3F701C805F44}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

#13 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 03 July 2007 - 01:22 PM

  • Hi :)
  • There is a strange registry entry in your Combofix log, and it’s related to your soundcard driver. Is your card/software of a foreign language, or are you experiencing any problems with the software?

    Run a .bat File
  • Please copy and paste the text in the code box into Notepad.

    dir /a /s "C:\{00002A3A-0000-0000-1227-BED219CF8ECB}" > C:\files1.txt
dir /a /s "C:\{00002394-0000-0000-C886-59AE0CA0DBF8}" > C:\files2.txt
  • Go to File > Save As:. Save the file as "Look.bat" (Including the quotes). Make sure to save the file as "All types", not as a Textfile.
  • Double-click on Look.bat to run the file.
  • Two files will be created at the root of your drive (C: ), they are called files1.txt and files2.txt. Please post their contents in your next reply.

Edited by Simon V., 03 July 2007 - 01:24 PM.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#14 archer300

archer300

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 July 2007 - 08:29 PM

Yes, my soundcards been a little messed up, all the voice effects always dissapear after i reinstall it. Files1 Volume in drive C has no label. Volume Serial Number is C087-2F8A Directory of C:\{00002A3A-0000-0000-1227-BED219CF8ECB} 06/27/2007 07:25 PM <DIR> . 06/27/2007 07:25 PM <DIR> .. 06/27/2007 07:25 PM 1,514,657 DATA.CAB 06/27/2007 07:25 PM 878 Manifest.ini 06/27/2007 07:25 PM 878 Manifest.qrm 3 File(s) 1,516,413 bytes Total Files Listed: 3 File(s) 1,516,413 bytes 2 Dir(s) 18,533,793,792 bytes free Files2 Volume in drive C has no label. Volume Serial Number is C087-2F8A Directory of C:\{00002394-0000-0000-C886-59AE0CA0DBF8} 06/27/2007 07:25 PM <DIR> . 06/27/2007 07:25 PM <DIR> .. 06/27/2007 07:25 PM 2,511,096 DATA.CAB 06/27/2007 07:25 PM 1,334 Manifest.ini 06/27/2007 07:25 PM 1,334 Manifest.qrm 3 File(s) 2,513,764 bytes Total Files Listed: 3 File(s) 2,513,764 bytes 2 Dir(s) 18,533,793,792 bytes free

#15 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 04 July 2007 - 05:33 AM

  • Hi :)

    Fix Entries with HijackThis
  • Open HijackThis, perform a scan and put a check next to the following items (if present):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    Close all programs except HijackThis and click on Fix checked.

    Update Java
  • Your Java software is out of date. Follow these instructions to update it:
    • Go to Start and click on Control Panel, then double-click on Add or Remove Programs.
    • Search for previously installed versions of Java (J2SE Runtime Environment), and remove it. It should have this icon next to it: Posted Image
    • Then download and install Java Runtime Environment Version 6u2.
    Prevention
  • Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:
    • Delete Tools - You can now delete the following files/folders:
      • Combofix.exe, C:\Qoobox
      • Vundofix.exe
    • Rehide your System Files
      • Double-click My Computer.
      • Click the Tools menu, and then click Folder Options.
      • Click the View tab.
      • Put a check next to Hide file extensions for known file types.
      • Under the Hidden files folder, select Do not show hidden files and folders.
      • Check Hide protected operating system files.
      • Click Apply, and then click OK.
    • Disable and Enable System Restore - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
      • Turn off System Restore.
      • On the desktop, right-click My Computer
      • Click Properties
      • Click the System Restore tab
      • Check Turn off System Restore
      • Click Apply, and then click OK
      • Reboot.
      • Turn on System Restore.
      • On the desktop, right-click My Computer
      • Click Properties
      • Click the System Restore tab
      • Uncheck Turn off System Restore
      • Click Apply, and then click OK
      NOTE: only do this ONCE, NOT on a regular basis!
    • Make your Internet Explorer more secure
    • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab.
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt.
        • Change the Download unsigned ActiveX controls to Disable.
        • Change the Initialise and script ActiveX controls not marked as safe to Disable.
        • Change the Installation of desktop items to Prompt.
        • Change the Launching programs and files in an IFRAME to Prompt.
        • Change the Navigate sub-frames across different domains to Prompt.
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your Anti-Virus Software - It is very imprtant that you update your Anti-Virus software at least once a week (even more if you wish). If you do not update your Anti-Virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - A firewall is very important for the security of your computer. The Windows Firewall which comes with Service Pack 2 does not monitor outgoing connections, so any malware can 'phone home' without you knowing it. For an article on firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    Follow this list and your potential for being infected again will reduce dramatically.
  • Stand Up and Be Counted!

    Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you have to be registered to post after registering just find your country room and register your complaint.
    The infection you had was Vundo.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·